Executive Summary

The US Department of Defense (DoD) is now requiring certification against its Cybersecurity Maturity Model Certification (CMMC) security framework as a condition of being awarded a contract. Scope covers Controlled Unclassified Information (CUI) and affects upwards of 300,000 contractors. Details are here https://www.acq.osd.mil/cmmc/index.html.

Read on for details explaining how you may be impacted and to learn how HITRUST® can help.

The Cybersecurity Maturity Model Certification: A New Baseline Standard

To address national security concerns within their third-party ecosystem, the United States Department of Defense (DoD) has mandated that all organizations doing business with the DoD, regardless of size, industry, or level of involvement, have the maturity of their cybersecurity operations independently certified against the newly established Cybersecurity Maturity Model Certification (CMMC) Framework. Governed by an overarching Accreditation Body, the CMMC program aims to enforce the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited by an independent third-party auditor or CMMC Third-Party Assessment Organization (C3PAO). Up until now, contractors have struggled to secure their expanded supply chains with inconsistent cybersecurity practices. The CMMC cannot be obtained via self-attestation but must instead be validated by an authorized third-party assessor, all of which are governed by an Accreditation Body. In addition to overseeing all assessor and consulting firms, the Accreditation Body provides CMMC-specific training and issues certifications.

HITRUST: A Leading Authority

Leveraging our 12 years of experience as a leader in delivering the highest quality assurance reports, developing our framework, assurance program, academy, assessor network, assessment infrastructure, and related programs, HITRUST has made and continues to make valuable contributions sharing on how best to go about accrediting auditors, delivering training, and issuing certifications.

All organizations that are currently doing business or intend to do business with the DoD are expected to comply with, be assessed against, and obtain the CMMC.

“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,”— Katie Arrington, Chief Information Security Officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition.

Organizations across all industries and of all sizes should be aware of the level of impact generated by the CMMC and what exactly it means for them. The CMMC is an allowable reimbursable cost and there are several different levels of certification, each with increasing granularity and rigor with regards to requirements. These characteristics ensure that CMMC is attainable for all organizations. The CMMC requirements vary from level one to level five, level one being the most basic controls and level five being the most advanced. Each contract released for bids by the DoD will have a level of CMMC associated with it, corresponding directly to the inherent risk posed by the contract; only organizations with the appropriate level of CMMC will be considered for projects.


Multiple iterations of the CMMC framework will be released as the DoD works to fine-tune the included controls with the first version already released. However, it is meant to be a living document, continuously evolving to meet emerging threats. Organizations that currently have contracts with the DoD will need to look at earning their CMMC prior to the end of their contract as this could be a deciding factor as to whether or not your contract will be renewed or placed back into the market for bids. The DoD will start including mandated CMMC levels associated with contracts as early as June 2020 and by 2025 the appropriate level of certification will be non-negotiable for organizations wishing to do business with the DoD.

Organizations wishing to do business with the DoD should be thinking about CMMC sooner rather than later.

With all of the impending timelines looming ever closer, organizations should be taking every proactive measure available. The first full version of the CMMC framework was based upon previously released frameworks, namely NIST, ISO, DFARS, and FedRAMP.

HITRUST is here to help your organization understand and prepare for the CMMC.

For many months now, HITRUST has been working to ensure that our comprehensive and integrated suite of compliance and risk management solutions align with the requirements of CMMC and fully support organizations in preparing to achieve CMMC.

While the CMMC AB continues its efforts to bring the CMMC program to market, HITRUST customers can rest easy knowing that for every component of the CMMC program contemplated by the DoD, there is a direct HITRUST analog that currently achieves the same objectives. The components of the HITRUST Approach most directly related to addressing CMMC are the HITRUST CSF®, HITRUST CSF® Assurance Program, and HITRUST MyCSF®. The HITRUST CSF already integrates with and contains mappings to the same baseline standards upon which the CMMC framework is based (i.e., NIST SP 80-53, DFARS/NIST SP 800-171, and FedRAMP).

The HITRUST CSF Assurance Program enables organizations to assess their current security and privacy posture against these standards and achieve and maintain CMMC, leveraging the many benefits of the HITRUST CSF Assurance Methodology, including Assess Once, Report Many™.

The MyCSF tool can be leveraged to lend insight into GAPS and remediations needed to be implemented prior to the CMMC. MyCSF supports “what if” planning and utilizes previously entered information to streamline and simplify the process of performing a GAP analysis against the CMMC framework requirements.

MyCSF is a best in class, purposefully designed and engineered SaaS solution for performing risk assessments and corrective action plan management, including enhanced benchmarking and dashboards as well as integration with major GRC platforms and the HITRUST Assessment XChange™.

In communications from the DoD, it is clear that organizations that invest in a controls assessment and repository platform will be better positioned to succeed in their CMMC efforts. Organizations with a valid HITRUST CSF Certification should be able to determine the additional control requirements by leveraging MyCSF and performing an assessment specific to the delta in scope and requirements. It is critical that entities have the ability to leverage existing investments made in information risk management and compliance programs including existing assurance reports, developed using a comprehensive methodology, in support of CMMC.

Lastly, third-party assurance is another critical area subject to CMMC requirements. Hereto, organizations cannot afford to wait to begin conversations with all third-party vendors to whom they share access to sensitive information belonging to the DoD. In all such cases, organizations must evaluate their third parties’ risk and compliance posture and obtain assurances that they too can meet the same CMMC controls required of them by the DoD. The HITRUST Assessment XChange can help organizations streamline and simplify their third-party management, ensuring that everyone is doing their part to protect sensitive data and protecting parent organizations’ interests with regards to doing business with the DoD.

As the DoD and CMMC AB move forward with developing and implementing the requirements of the CMMC, HITRUST will be at the forefront, continuing to participate as a subject matter expert and thought leader while helping simplify the road to CMMC for organizations of all sizes, across all industries.

Since its inception, HITRUST has made a focus on ensuring that its products and services — namely the HITRUST CSF framework, HITRUST MyCSF, HITRUST CSF Assurance Program, and HITRUST Assessment XChange — are purposefully designed to support new market requirements. Helping new and existing customers continue to demonstrate to and obtain necessary assurances from customers and third parties is our mission and the CMMC requirements are just the latest example of how HITRUST helps organizations Assess Once, Report Many™. More information on the HITRUST suite of services can be found here.