There is a definitive set of rules, not all inclusive list, that DoD contractors must follow to ensure that they are in compliance, and stay in compliance, with regulatory standards. CMMC incorporates these requirements, along with an additional set of requirements specifically for CMMC compliance, which are defined in the CMMC Model. The rules flow down from federal standards to DoD standards, in which the CMMC Model was developed.
What Does this Mean to the DoD Contractor Requiring CMMC Certification?
FAR 52.204-21 mandates a set of fifteen (15) basic cybersecurity requirements for those information systems that store, process, or exchange (transmit/receive) “Federal contract information (FCI).” FAR defines FCI as “information provided by or generated for the Government under a contract to develop or deliver a product or service for the US Government.” With respect to CMMC, these 15 cybersecurity requirements make up the foundation for CMMC Level 1, which is focused on protecting FCI.
FAR 52.240.21 is a PRIMARY REFERENCE FOR CMMC LEVEL 1
FAR 52.204-21 mandates a set of fifteen (15) basic cybersecurity requirements for those information systems that store, process, or exchange (transmit/receive) “Federal contract information (FCI).” FAR defines FCI as “information provided by or generated for the Government under a contract to develop or deliver a product or service for the US Government.” With respect to CMMC, these 15 cybersecurity requirements make up the foundation for CMMC Level 1, which is focused on protecting FCI.
NIST SP 800-171 Rev 2 is a PRIMARY REFERENCE FOR CMMC LEVEL 1 and LEVEL 3
NIST SP 800-171 Rev 2 is the contractor’s primary reference for meeting CMMC standards to protect Controlled Unclassified Information (CU)I when the information is resident in nonfederal systems and organizations. This publication will guide the contractor through the NIST-related security controls for both CMMC Level 1 and Level 3.
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST SP 800-171A is a PRIMARY REFERENCE FOR CMMC LEVEL 1 and LEVEL 3
NIST SP 800-171A is the contractor’s primary reference for measuring its conformity to NIST SP 800-171 Rev 2 under the DoD Assessment Methodology. The “A” suffix implies Assessment. It is originally designed to provide guidance for assessors as they review a client’s compliance with NIST SP 800-171.
This is a great reference for DoD contractors to conduct a self-assessment of their level of compliance with NIST SP 800-171 and to cross reference to the required artifacts (called Objective Evidence within the CMMC realm) for meeting the intent of the security controls.
https://csrc.nist.gov/publications/detail/sp/800-171a/final
CMMC ASSESSMENT GUIDE FOR CMMC LEVEL 1 and LEVEL 3
The CMMC Assessment Guide (one for CMMC Level 1 and one for CMMC Level 3) provides assessment guidance for conducting CMMC assessments for Level 3 and Level 2. A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. Assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) and Certified Assessors. This guide is designed for certified assessors, contractors, and information technology and cybersecurity professionals who secure data and systems with responsibilities to protect FCI and/or CUI. DoD contractors can use the CMMC Assessment Guide to prepare for a CMMC assessment or for a self-assessment.
BOTTOM LINE: Became intimately familiar with these documents
In a separate segment we will cover the CMMC playing field, including the DFARS clauses, in more detail.
Please visit redspin.com for more information!