|Domains||Capabilities||Total Practices per Domain||Practices per Level|
|Level 1||Level 2||Level 3||Level 4||Level 5|
|Audit and Accountability||8||27||2||9||7||7||2|
|Awareness and Training||4||16||0||4||5||7||0|
|Identity and Authorization||2||17||2||1||9||2||3|
|System and Comms Protection||3||45||2||10||13||12||8|
|Systems and Info Integrity||5||13||4||5||0||2||2|
|Total Practices Per Level||35||115||91||95||34|
I need an assessment tool that I can use to audit other organizations.
Subscribe Now for Regulation Updates
Want to keep track of the latest CMMC developments?
We’re not spammy, and we’ll never sell your information. Promise.
The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC is not entirely derived from NIST 800-171; rather, it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.
The DoD plans to release version 1.0 in January 2020. This leaves contractors just six months to prepare before CMMC starts appearing in Requests for Information (RFIs) in June 2020.
Yes. Many of the same controls that are in NIST 800-171 will be included in CMMC along with controls from other standards such as ISO, FedRAMP, and various NIST frameworks.
CMMC also requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.
Existing DoD contracts that contains the 252.204-7012 DFARS clause will still require your organization to provide documentation proving compliance with 800-171. We don't know if Contracting Officers will be asked to modify active contracts to swap CMMC and 800-171. This may end up being a per-contract decision. CMMC is different than NIST 800-171, but the controls can be mapped from 800-171 to the levels of certification within CMMC.
Yes. All companies doing business with Department of Defense will need to obtain CMMC.
Even if you are a subcontractor.
We’re not sure yet. This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. We can say this: The entire point of CMMC is to make it more feasible for small to mid-sized business to become compliant while ensuring that any sensitive information or CUI your organization handles remains safe. This means that most companies will fall under Level 1 or Level 2 (which will map 64 controls from 800-171), while prime contractors can expect to become Level 3 certified (which will map all 110 controls from 800-171). Level 4 and 5 (which will map additional controls found in 800-171revB) are going to typically be required of the large primes like Lockheed Martin and Northrop Grumman.
Step one is to get NIST 800-171 documentation out of the way. This will help with mapping those controls and keep you compliant with the current DFARS clause.
The second step is to map your 800-171 assessment to the CMMC requirements once they're released. Be ready to address the gaps you find during mapping and implement solutions to remediate them.
The third step is to find an authorized 3rd party to audit your assessment and give you a certification for the level you need. You should have no trouble finding an auditor even before the requirements are released, since its very likely existing 800-171 service companies will transition to CMMC auditors.
We’re not sure yet. They are still considering that part.
We can’t say for sure. That depends entirely on the market. Ms. Katie Arrington and her team have made it clear that they are trying to keep the cost down and are encouraging industry to automate as much of this process as possible. ComplyUp is taking that approach and applying it to our business model. Our software is cost-effective and practical. Our existing 800-171 platform can get you your NIST 800-171 documentation, and when the time comes, we'll migrate you to the new CMMC standard at no additional cost. We've also screened several auditing organizations and selected our partners based on the promise that they keep their cost low when working with our clients. The cost and associated assessment will likely scale with the level requested.
You will need to become an accredited 3rd party commercial certification organization. We are not sure what the exact steps are on how to get this done right now. We do know that you will need to go through some sort of a vetting process to become an accredited auditor. Once you’ve become accredited you will be able to start auditing companies and handing out certifications.
We don’t quite know the answer to that question either right now. Here’s what we can say: The DoD is selecting a non-profit organization who is going to be doing the accrediting. This means that you will go through some process with that organization in order to become accredited. Once you’re accredited, you’ll be able to start doing audits.
No. They have made it quite clear that they do not want the organizations who are performing the audits to also be the ones implementing the CMMC requirements for the contractor.
There’s nothing definitive on what type of deliverables we’ll be looking at. However, one could probably surmise that the contractor will need to provide some sort of System Security Plan, similar to that of NIST 800-171, and the auditor will most likely need to provide a Report on Compliance, similar to that of PCI and FedRAMP.
Yes. If you want to be a successful CMMC auditor, it is important to keep the same goals in mind as the folks pushing CMMC. They want this to be cost-effective. That means we’re not dealing with a whole lot of “enterprise” customers here. We’re talking about the ENTIRE DoD supply chain, most of which are small businesses. In order to play ball, you’ll need to keep your cost low and keep the process somewhat automated.