Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defence industrial base. It’s a framework designed to protect sensitive defence information housed within contractor systems and networks, reinforcing the security of the supply chain that underpins U.S. national security.

CMMC, or Cybersecurity Maturity Model Certification, is a tiered cybersecurity programme mandated by the Department of Defense (DoD) to safeguard against cyber threats within its supply chain. CMMC is a certification process designed to ensure protection over sensitive data that resides on contractors’ networks.

Increased cyber threats that compromised defence data on contractor-operated systems prompted the creation of CMMC. To counteract this vulnerability, the DoD developed CMMC as an amalgamation of various cybersecurity standards and best practices—including NIST SP 800-171 and FAR clause 52.204-21—while also incorporating input from industry experts and academic institutions.

With this initiative, the DoD ensures that all contractors meet a benchmarked level of cybersecurity maturity before being awarded government contracts involving Controlled Unclassified Information (CUI). By standardising these requirements across all levels of its supply chain, CMMC serves not just as a compliance measure but also as an assurance framework for securing critical assets essential to U.S. national security interests at home and abroad.

CMMC compliance is essential for a specific group in the defence sector. Organisations contracting with the DoD, including subcontractors, must meet CMMC requirements.

This spans a wide array of companies—from those providing direct product support to defence services to suppliers further down the supply chain. Essentially, if an entity is part of the Defense Industrial Base (DIB) and handles CUI, investing in CMMC compliance becomes mandatory.

The importance of CMMC cannot be overstated for several reasons:

• Protection against cyber threats: The rise in cyber-attacks targeting sensitive government data necessitates robust security protocols. By adhering to CMMC standards, organisations can better protect against espionage, theft, and sabotage by malicious actors.
• Assurance across supply chain: It ensures all members within the DoD’s supply chain maintain consistent cybersecurity practices—establishing trust throughout every level by ensuring each link in the chain takes information protection seriously.
• Competitive advantage: For businesses seeking DoD contracts, achieving certification can serve as a differentiator from competitors who may not meet required levels—a key consideration when submitting a proposal for a coveted defence project.
• Regulatory compliance: Beyond securing data lies a legal obligation. Failure to comply with CMMC compliance regulations could result in fines, penalties, or loss of eligibility for future contracting opportunities, effectively barring non-compliant entities from participation in critical defence projects.

CMMC compliance is more than just meeting regulatory requirements. It’s a demonstration of an organisation’s commitment to safeguarding national security. By adhering to these stringent cybersecurity measures, companies enhance their resilience against vulnerabilities and contribute to the continuity and integrity of operations crucial for the wider defence space. Compliance strengthens the military’s collective efforts to protect the vital systems upon which modern society relies.

CMMC 2.0 is the updated version of the original Cybersecurity Maturity Model Certification (CMMC) programme rolled out by the DoD. This iteration has been introduced to refine and streamline cybersecurity requirements, making it more accessible for contractors in the defence supply chain while still upholding a high standard of security.

Several key objectives drove the development of CMMC 2.0:

• Simplification: The DoD aimed to reduce complexity in achieving compliance by consolidating five maturity levels into three, focusing on essential cybersecurity practices.
• Increased clarity: It provides clearer guidance around certification requirements that improves understanding and consistency across all companies involved with DoD contracts.
• Alignment with existing standards: CMMC 2.0 aligns more closely with well-established standards outlined in FAR regulations, helping organisations integrate their existing compliance efforts into this new model without redundant or conflicting measures.
• Efficient resource utilisation: By streamlining assessment procedures and documentation, CMMC 2.0 enables quicker certification processes—a change especially beneficial for small and medium-sized businesses in the defence industry.

CMMC 2.0 is designed to strengthen cybersecurity defences while also promoting fairness and accessibility within the defence supply chain. The updates facilitate a more equitable environment where companies of all sizes can protect sensitive information effectively without excessive strain on their resources.

This table provides a clear overview of the changes and differences between CMMC 1.0 and CMMC 2.0.

CMMC 2.0 reflects a dynamic approach that caters to the modern challenges of digital security, ensuring that our nation’s defence infrastructure remains robust against today’s threats.

To achieve CMMC compliance, organisations must understand and meet the criteria outlined in one of three maturity levels—each corresponding to a set of cybersecurity practices with increasing complexity and rigour. These tiers are grounded in widely accepted NIST (National Institute of Standards and Technology) standards.

Level 1 – Foundational:

• At this initial level, an organisation must implement basic cyber hygiene practices.
• It involves 17 controls primarily derived from FAR clause 52.204-21 focusing on essential safeguarding measures for federal contract information (FCI).
• This tier is a starting point for small companies or subcontractors new to the DoD supply chain.

Level 2 – Advanced:

• This intermediate stage requires establishing and documenting standardised processes based on NIST SP 800-171 rev2 guidelines.
• This level emphasises protecting CUI, with requirements extending beyond foundational cybersecurity protocols into more robust protection mechanisms against threats.
• Companies at this level should have established policies governing their cybersecurity efforts while actively managing their data protection strategies.

Level 3 – Expert:

• At the pinnacle of CMMC, Level 3 requires organisations to implement advanced cybersecurity practices to protect against sophisticated threats.
• This level builds upon NIST SP 800-171 rev2 by incorporating additional controls from sources like NIST SP 800-172, ensuring protection against Advanced Persistent Threats (APTs).
• Companies at this tier must show that they can not only establish but also actively manage and adapt their cybersecurity posture in response to evolving tactics and techniques used by cyber adversaries.
• Certification at this expert level indicates a company’s capability to provide the highest security standard for DoD projects requiring uncompromised defence mechanisms.

These CMMC levels are widely accepted because they are based on established NIST cybersecurity standards recognised as comprehensive and robust frameworks for protecting sensitive government information.

The requirement for obtaining a CMMC certificate impacts a specific group in the defence sector:

• Defence contractors: Any organisation, large or small, that intends to do business with the DoD by directly bidding on contracts.
• Subcontractors: Companies further down the supply chain that may not contract directly with the DoD but contribute to fulfilling defence contracts must also be certified. Subcontractors include suppliers and service providers who handle or produce components and systems for primary contractors.
• Vendors handling CUI: If an entity deals with information that federal standards deem sensitive—information requiring safeguarding but not classified—certification is required because the data is critical to national security.

In essence, any company playing any role in providing goods or services within the Defense Industrial Base, especially those dealing with sensitive unclassified information, needs to pursue and maintain an appropriate level of CMMC certification relevant to their work’s nature and scope.

Embracing the complexities of CMMC compliance can be daunting for organisations at any level in the defence industry. However, Proofpoint is an invaluable ally in this journey by providing solutions to help organisations with CMMC compliance. Proofpoint’s Identity Threat Detection & Response platform helps reveal and safeguard attack pathways that can be exploited by threat actors, aiding in achieving cyber resilience for CMMC Level 3 compliance.

Proofpoint offers compliance and data archiving solutions, such as Proofpoint Track, which enables organisations to track, audit, and reconcile all content in their capture stream, helping them stay compliant and in control. Additionally, Proofpoint’s email filtering and secure email gateway solutions can assist in meeting CMMC requirements, such as detecting or blocking malicious emails and employing FIPS 140-2 validated encryption for data at rest and during transmission. These capabilities make Proofpoint a valuable partner for organisations seeking to comply with CMMC requirements.

To learn more about the scope of available cybersecurity solutions, contact Proofpoint.