A Single Standard for all DoD Contracts

The CMMC requires the implementation of cybersecurity controls and procedures across a contractor’s enterprise network, infrastructure, and assets.

Previous regulations for DoD contractors handling CUI were specified in DFARS Clause 252.204-7012 and FAR Clause 52.204-21, and allowed for self-certification of compliance with appropriate NIST 800-171 controls.

How Does CMMC Compare to NIST 800-171?

The CMMC encompasses the security requirements for CUI specified in both the aforementioned DFARS and FARS clauses; however, the CMMC certification model does not allow for self-attestation.

In order to become certified, DoD contractors will need to be assessed by a certified third party assessor (C3PAO) to ensure that the appropriate levels of security are in place.

CMMS Domains

The CMMC model consists of 17 domains, the majority of which originated from the NIST SP 800-171 control families.

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AA)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IDA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (SAS)
  • Situational Awareness (SA)
  • System and Communications (SCP)
  • System and Information Integrity (SII)

CMMC Levels

What Does the CMMC Mean for Companies Seeking or Using DoD Contracts?

Any DoD contractor or subcontractor will need to become CMMC certified by an accredited assessor in the near future. Under the CMMC, there will be no Plan of Action and Milestones (POA&M) so it is vital that companies seeking DoD contracts or currently doing business with the DoD on projects involving CUI and FCI carefully consider the CMMC level that they will be required to achieve and be prepared to undergo the CMMC certification process.

Get Ahead of Your Certification Requirements with DirectDefense

As the requirements for C3PAO have not yet been published, no auditors can currently provide a CMMC certification. DirectDefense plans to obtain the required credentials to be able to perform CMMC Certification Audits once made available.

However, based on our deep experience with the NIST 800-171 DFARS certification process, we are currently offering CMMC Readiness Assessment services to prepare your organization to meet its future certification requirements.

Start the CMMC Certification process. Contact us today.

Related Content:
Service Brief