What is CMMC?
The CMMC Program is still in rulemaking and may change over the course of the next year. The information below will be updated when rulemaking is completed.
If you plan to do business with the Department of Defense, you must comply with CMMC 2.0 – once the federal rule-making process has been completed (9 to 24 months). This site is updated regularly and provides you with the most current information regarding CMMC 2.0 compliance. CyberNC.us is managed by the North Carolina Military Business Center through the North Carolina Interagency Cybersecurity Coordinating Committee.
The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security. The Center for Strategic and International Studies estimates that the total global cost of cybercrime was a high as $600 billion in 2017. Malicious cyber actors have targeted, and continue to target the Defense Industrial Base sector and the supply chain of the Department of Defense. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security.
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
With the implementation of CMMC 2.0, the Department is introducing several key changes that build on and refine the original program requirements. These are:
Streamlined Model
- Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
- Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards
Reliable Assessments
- Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
- Higher accountability: Increases oversight of professional and ethical standards of third-party assessors
Flexible Implementation
- Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
- Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
See graphic below, and click on this link for additional information from the Office of the Under Secretary of Defense for Acquisition & Sustainment.
To assist North Carolina defense contractors understand and implement CMMC 2.0, multiple State entities and organizations that support the defense industry have established the NC Interagency Cybersecurity Coordinating Committee (I3C). The goals of the committee are to provide defense contractors with 1) up to date and accurate information about CMMC 2.0 and the certification process; 2) effective tools they can use to assess their current level of compliance; and 3) access to reputable companies that can help them fill their compliance gaps and assist with certification preparation. Phase I of implementing these three goals was to establish a website containing information about the new CMMC model: http://www.cybernc.us.
CONTACT US
Main Point of Contact:
Laura Rodgers
Director of Cybersecurity Practice
Secure Computing Institute
EB II, 2240B
NC State University
ldrodger@ncsu.edu(o) 919-515-5063(c) 828-734-0053-
How to best utilize CyberNC.us: The CyberNC.us website was created to provide North Carolina companies with one location to find all the information they need to develop a cybersecurity compliance program that is compliant with Department of Defense regulations.
The most effective way to utilize the website is to follow the steps below:
- Understand the regulations. Click on the Cybersecurity Regulations tab and review the information about each of the regulations.
- Understand the data. Click on the FCI/CUI tab for detailed information about Federal Contract Information and Controlled Unclassified Information, then review the Cybersecurity Overview presentation.
- The information on the Where to Start tab will help businesses determine which regulation with which they must comply, as well as the level of compliance that is required.
- The DFARS tab contains information about compliance with DFARS 252.204-7012 and the new DFARS Interim Rule.
- The CMMC tab contains information about CMMC 2.0 and includes FAQs and resources.
- The Training tab provides information about resources businesses can use to train their employees.
- The Partners tab contains links to the websites of the I3C partner agencies.
-
The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.
Copyright 2020, North Carolina Military Business Center. All Rights Reserved.