The Cybersecurity Maturity Model Certification (CMMC) is a maturity model framework and an acquisition policy initiative launched by the Department of Defense (DoD) in 2019. The CMMC acquisition policy requires DoD prime and subcontractors to undergo a third-party assessment of their implementation of the CMMC framework. Once fully implemented, all DoD prime and subcontractors will be required to undergo a CMMC assessment to win new DoD contracts. At some point in the future, the CMMC will begin to appear in new solicitations as Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021. However, the CMMC initiative is currently on hold pending the results of an internal DoD assessment, which is expected to be completed later this year.
HITRUST and the CMMC
HITRUST understands that the CMMC initiative impacts our customers. As a company whose main goal is to help organizations prioritize and manage their security and privacy risk and compliance efforts, we are staying informed of the evolving CMMC program. For our customers who adopt the CMMC program, HITRUST will work to make their journey as painless and seamless as possible. HITRUST has already included the CMMC controls in our CSF library of controls, and we offer a CMMC targeted self-assessment so that companies can gauge their own CMMC readiness using the HITRUST MyCSF® tool. As the CMMC program evolves, we will provide updates on how HITRUST will continue to help facilitate our customers’ compliance efforts with the CMMC.
More Background on the CMMC
The CMMC maturity model framework contains five maturity levels, from CMMC Maturity Level 1 up to Maturity Level 5. The CMMC as a policy initiative will require companies to undergo a third-party assessment of their cybersecurity program resulting in a CMMC certification in order to be awarded DoD contracts that contain the CMMC clause. In late 2020, the DoD issued an interim Defense Federal Acquisition Regulation Supplement rule which enables the DoD to begin including the CMMC clause into incrementally more DoD solicitations over the next five years, with all DoD contracts containing the clause by fiscal year 2025. In addition to requiring that prime contractors achieve a CMMC certification, the interim rule also makes it clear that prime contractors will be responsible for ensuring that all their suppliers and vendors who support their DoD contract also attain a CMMC certification at the necessary maturity level to support the contract.
The CMMC Accreditation Body (CMMC-AB), established in January 2020, certifies CMMC assessors, certifies the CMMC third-party assessment organizations (C3PAOs) who employ the CMMC assessors, and is the only organization authorized to grant CMMC certifications recognized by the DoD. As of August 2021, there are only three authorized C3PAOs and 103 provisional assessors. Provisional assessors are authorized to conduct CMMC assessments during the “provisional period” which will end six-months after formal assessor training becomes available. Currently, there are authorized training providers, but no authorized CMMC assessor training courses, nor are there CMMC assessor certification exams available to candidate CMMC assessors. No CMMC assessments resulting in CMMC certification have been completed at this time.
Leadership changes at DoD, coupled with Congressional oversight and internal DoD reviews of the CMMC program, have resulted in a potential delay in the full implementation of the CMMC policy initiative. While the CMMC-AB continues to create new provisional assessors and C3PAOs, Senator Joe Manchin, D-W.Va., during a Senate Armed Services Sub-Committee meeting in May, said that the DoD review will produce “significant” changes to the CMMC. He also said that the DoD would be leading the changes that are still being finalized. There have been no official announcements from DoD regarding what the significant changes to the program might be.
HITRUST will continue to track the situation and take action as necessary.