Office of the Chief Information Security Officer

CMMC


Cybersecurity Maturity Model Certification


This information pertains to UW research activities that intend to or currently participate in research sponsored by agencies, offices and commands under the U.S. Department of Defense.

What you need to know

The Cybersecurity Maturity Model Certification (CMMC) is a program established by the United States Department of Defense (DoD) to standardize security practices and processes intended to protect non-public unclassified information related to DoD research awards. CMMC is a unified cybersecurity standard that will apply to all future DoD awards that involve Federal Contract Information (FCI), 48 CFR § 52.204-21 and/or Controlled Unclassified Information (CUI), Executive Order 13556.

The CMMC model framework organizes processes and cybersecurity best practices into a set of 17 Capability domains and 5 levels of maturity in practices and processes. CMMC involves an independent third-party assessment (from DoD approved assessors) of an organization’s compliance at a specified maturity level.

The CMMC combines cybersecurity standards and best practices from multiple sources and references:

  • CMMC Level 1, the minimum maturity level for protecting FCI, addresses practices from Federal Acquisition Regulations (FAR) 52.204-21
  • CMMC Level 3, the minimum maturity level for protecting CUI, includes all of the practices from National Institute of Standards and Technology Special Publication (NIST SP) 800-171r1 as well as others
  • CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-172 plus others, and are intended to provide enhanced security to critical technologies and acquisition programs

CMMC applies to DoD acquisition activities. The CMMC level required for response to a request for information (RFI) or request for proposal (RFP) appears in Section L or M of the RFI/RFP. Awards include the clause DFARS 252.204-7012 and specify the CMMC level required for the award.

Each research activity’s information systems that are intended to store, transmit or process FCI and CUI must be certified at the CMMC level specified in the RFI, RFP or award. DoD will cover the cost of implementing CMMC controls as an “allowable, reimbursable cost”. The roll-out incorporating CMMC has begun with a few existing acquisition programs in June 2020 and will build with new RFIs, RFPs and awards to include all DoD acquisitions in five years.

The Office of the CISO and the Office of Research have established a UW CMMC Working Group intended to develop and share best practices and document guidelines and templates to assist research activities in meeting CMMC requirements.

What you need to do

  • Carefully review each DoD award to determine whether it contains the clause DFARS 252.204-7012. If so, expect CMMC to be incorporated into award renewals or follow-on awards and begin to prepare for certification at maturity level 3 unless otherwise advised by the sponsor.
  • Carefully review sections L and M of each DoD RFI and RFP to determine whether CMMC is required in order to submit a response or proposal. If so, obtain certification at the requisite level.

Resources

Federal Contract Information (FCI) – Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. (48 CFR § 52.204-21)

Controlled Unclassified Information (CUI) – Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. (Executive Order 13556) Categories of CUI are described in the CUI Registry, https://www.archives.gov/cui/registry/category-list.

Official CMMC website – https://www.acq.osd.mil/cmmc/index.html

Questions?
Email ciso@uw.edu