The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the Department of Defense (DoD) to enhance the cybersecurity posture of the Defense Industrial Base (DIB). It is designed to ensure that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on or transits their information systems. For defense contractors operating websites that handle FCI or CUI, understanding and implementing the relevant CMMC requirements is crucial for maintaining eligibility for DoD contracts. This article provides an in-depth overview of CMMC compliance as it pertains to a defense contractorโs website, drawing upon the current CMMC framework.
Understanding the CMMC Levels and Your Website
The CMMC model comprises three distinct levels, each with increasing cybersecurity requirements. The level a defense contractor must achieve is typically specified in the contract solicitation based on the sensitivity of the information involved.
- CMMC Level 1: Foundational CybersecurityLevel 1 is the baseline and requires the implementation of 15 security requirements currently mandated by FAR clause 52.204-21. These requirements are considered elementary for basic cybersecurity.- Assessment: Compliance at Level 1 is verified through a self-assessment conducted by the Organization Seeking Assessment (OSA).- Scope: For a website at Level 1, the scoping includes all assets that process, store, or transmit Federal Contract Information (FCI). If your website handles FCI, it falls within the Level 1 assessment scope.- Reporting: The results of the Level 1 self-assessment and an affirmation of compliance must be electronically entered into the Supplier Performance Risk System (SPRS).- POA&M: The provided sources do not explicitly mention the allowance of Plan of Action and Milestones (POA&Ms) for Level 1 assessments. To satisfy Level 1 requirements, a POA&M is not allowed.
Download: cmmc cmmc.pdf858 KB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle
Scoping Your Website for CMMC Assessment
Defining the CMMC Assessment Scope is a critical initial step. This scope represents the boundary of all assets that will be assessed against the CMMC security requirements. The scoping requirements differ for each CMMC level. For a website, this includes not just the web server itself but also any associated databases, network infrastructure, endpoints used to manage the website, and any cloud services involved.
- Level 1: Includes all information systems that process, store, or transmit FCI.- Level 2: Encompasses all assets that process, store, or transmit CUI, and all security protection assets (SPAs) that provide security functions for these CUI assets. SPAs include firewalls, intrusion detection systems, and multi-factor authentication mechanisms.- Level 3: Includes assets that process, store, or transmit CUI, as well as CRMA assets that can but are not intended to process, store, or transmit CUI (these become CUI Assets at Level 3). Specialized Assets, which cannot be fully secured (like IoT devices or GFE), are also part of the Level 3 scope. The Level 3 scope can be a subset of the Level 2 scope, allowing for a more focused assessment of a specific enclave.
For a website handling CUI and aiming for Level 2 or 3, the assessment scope must clearly identify all components involved in processing, storing, or transmitting that CUI, as well as the security controls protecting it. This should be documented in the System Security Plan (SSP) and network diagrams.
Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP
External Service Providers (ESPs) and Your Website
If your website relies on External Service Providers (ESPs), such as hosting providers or managed security service providers, their role in handling FCI or CUI significantly impacts your CMMC compliance.
- An ESP that does not process CUI or Security Protection Data (SPD) does not meet the CMMC definition of an ESP requiring specific consideration. However, their services would still be part of the OSAโs assessment scope.- ESPs can voluntarily undergo their own CMMC Level 2 C3PAO assessment, with the scope covering services provided to clients. In such cases, the Organization Seeking Assessment (OSA) must have a System Security Plan (SSP) that shows how select security requirements are performed by the ESP.- If an OSA seeking CMMC Level 3 Certification uses an ESP (other than a Cloud Service Provider), that ESP must also have a CMMC Level 3 Final Certification Assessment for the services provided within the assessment scope [Our conversation history].- Cloud Service Providers (CSPs) have specific considerations:If a CSP processes, stores, or transmits CUI, the cloud offering must be FedRAMP-authorized at the Moderate level or higher [Our conversation history].- Alternatively, if not FedRAMP authorized, the CSPโs offering must meet security requirements equivalent to the FedRAMP Moderate or High baseline, which the OSA and assessors will review [Our conversation history]. This equivalency review often involves examining the CSPโs SSP and a Customer Responsibility Matrix (CRM) mapping to NIST SP 800-171 Rev 2 [Our conversation history, 145, 151, 157].- If a CSP does not process, store, or transmit CUI, FedRAMP authorization is not required, and their services are considered Security Protection Assets (SPAs) within the OSAโs scope [Our conversation history].
It is essential to have contractual agreements with ESPs handling CUI that mandate they meet the required CMMC levels or FedRAMP equivalency. The assessment scope must include the ESPโs relevant services and infrastructure as SPAs.
Reporting and Submission Processes
The reporting and submission requirements vary depending on the CMMC level and the type of assessment conducted.
- Level 1 Self-Assessments and Level 2 Self-Assessments require the OSA to electronically enter results and affirmations into SPRS.- Level 2 Certification Assessments involve the C3PAO entering assessment information into eMASS, which then transmits the results to SPRS. Affirmations are also submitted.- Level 3 Certification Assessments require DCMA DIBCAC to enter information into the CMMC instantiation of eMASS, with automated transmission to SPRS. Affirmations are also necessary.
Plan of Action and Milestones (POA&Ms)
POA&Ms are allowed under specific conditions for CMMC Levels 2 and 3 to address security requirements that are not fully met at the time of the initial assessment.
- Level 2: POA&Ms are permitted in both self and certification assessments and must be closed out within 180 days. Certain critical Level 2 security requirements cannot be included in a POA&M.- Level 3: POA&Ms are also allowed but require achieving a minimum initial assessment score (โฅ 0.8) and exclude specific critical security requirements. Closure must occur within 180 days via a POA&M Closeout assessment performed by DCMA DIBCAC. Any open POA&M items from a prerequisite Level 2 certification must be closed before a Level 3 assessment.
Conclusion
Complying with CMMC requirements for a defense contractorโs website that handles FCI or CUI is a multifaceted process. It necessitates a clear understanding of the required CMMC level, the associated security requirements, the applicable assessment procedures, and the definition of the assessment scope, including any reliance on External Service Providers. By adhering to the guidelines outlined in the CMMC framework and the relevant standards like NIST SP 800-171 and NIST SP 800-172, defense contractors can ensure the security of sensitive government information and maintain their ability to participate in DoD contracts. The phased implementation of CMMC underscores the importance of proactive preparation to meet these evolving cybersecurity standards. Continuous monitoring and adherence to the CMMC requirements are essential for sustained compliance.