CMMC Level and Assessment Requirements for Defense Contractors
Table of contents
Many DoD contractors are struggling to understand what requirements will apply to them once CMMC rolls out. CMMC defines three levels, but CMMC Level 2 may allow a self-assessment or may require a third-party certification assessment by a CMMC Third-Party Assessor Organization (C3PAO) which results in four different level/assessment scenarios. This post will help DoD contractors understand what CMMC requirements will apply based on the types of information they handle for DoD.
A DoD memo describes how four types of information will be used to determine both the CMMC level and the assessment requirements that will be inserted into contracts. These are all explained in more detail below:
Information | CMMC Level | Assessment Type |
FCI | 1 | Self-Assessment |
CUI in non-Defense Organizational Index Groupings | 2 | Self-Assessment |
CUI in Defense Organizational Index Groupings | 2 | C3PAO Certification Assessment |
CUI with enhanced protection requirements | 3 | DIBCAC Certification Assessment |
FCI
FCI Definition
FCI is Federal Contract Information. The formal definition of FCI includes all information that is provided by or generated for the government under a contract except for information that is intended for public release or simple transactional information. FCI does not carry any special markings to identify it as FCI.
FCI Handling Impact on CMMC Obligations
All government contractors are likely handling FCI, so DoD contractors that do not handle CUI should expect to receive CMMC Level 1 self-assessment requirements. Contractors that are handling CUI will also need to apply the Level 1 requirements to any systems that are handling FCI but not CUI and do not meet the Level 2 or 3 requirements.
CMMC Changes to FCI Requirements
The CMMC Level 1 requirements are based on the 15 Basic Safeguards for FCI that have been required by the FAR 52.204-21 contract clause since 2016 so all government contractors should already be compliant. There is currently no requirement to report compliance with the FAR 52.204-21 clause, so only the requirement to report compliance via a self-assessment is new in CMMC. CMMC Level 1 self-assessments are submitted via the DoD’s Supplier Performance Risk System (SPRS).
CUI
CUI Definition
CUI is Controlled Unclassified Information. This is information the government itself must safeguard or control the dissemination of as per a specific law, regulation, or government-wide policy. Government contractors are also contractually required to safeguard CUI when it is handled on behalf of the government.
Many defense contractors have been unnecessarily preparing to implement higher level CMMC requirements than are necessary because they do not understand what CUI is. This table can help to address common points of confusion about CUI:
Identifying CUI | CUI should be easy to identify because the government is required to apply standardized markings to all CUI before disseminating it to contractors. The government must also instruct contractors to apply the standardized markings if the contractor is expected to create CUI, but this is uncommon. Documents mismarked as CUI by other contractors are unfortunately common—see our post on Dealing With Unmarked and Mismarked CUI for more information on what CUI should and should not look like. |
CUI Prevalence | CUI is not as common as many defense contractors think. DoD estimates in Table 3 of the Impact and Cost Analysis of CMMC 2.0 tell us that 63% of defense contractors are not expected to handle CUI and will only handle FCI. |
CMMC Effects on CUI | The CUI program has existed under EO 13556 since 2010 and the DoD CUI protection obligations for contractors under the DFARS 7012 contract clause have existed since 2015 and are not changing as a result of CMMC. CMMC can be thought of as a certification program for existing CUI protection obligations and does not change the underlying definition or prevalence of CUI in any way. |
If a contractor has not received any documents that carry CUI markings and has not received instructions to mark specific documents as CUI, then the contractor is almost certainly not handling CUI. These contractors are also unlikely to suddenly start handling CUI once the CMMC rollout begins unless the nature of their work for the government changes under future contracts.
Contractors that are unsure of what CUI markings look like should refer to the NARA CUI Marking Handbook which contains the government-wide standard for CUI marking and the DoD CUI Marking Aid that contains DoD-specific CUI marking standards. Understanding both NARA and DoD CUI markings is important because DoD markings have some subtle differences from (and technically violate) the NARA government-wide standard and contractors may receive documents with both types of markings from DoD. Pay close attention to how CUI category markings are applied under both marking standards.
CUI Handling Impact on CMMC Obligations
Contractors that handle CUI will receive at least a CMMC Level 2 requirement, although the type of assessment required will depend on the CUI category as described below. Handling CUI may also result in a CMMC Level 3 requirement as described below.
CMMC Changes to CUI Requirements
The CMMC Level 2 requirements are based on the NIST SP 800-171r2 safeguarding controls for CUI that have been required by the DFARS 7012 contract clause since 2015 so all DoD contractor assets that process, store, or transmit CUI should already be compliant with the CMMC Level 2 requirements. The main changes introduced in CMMC for DoD contractors handling CUI are:
- Contractor assets that are not isolated from assets that process, store, or transmit CUI and assets that provide security functions to other in-scope assets are in scope for the NIST SP 800-171r2 requirements in addition to the assets that process, store, or transmit CUI that were already in scope under DFARS 7012.
- External service providers that handle CUI or Security Protection Data are in scope for the NIST SP 800-171r2 requirements except for cloud service providers that handle CUI, which are required to implement the FedRAMP Moderate controls as is already required under DFARS 7012.
- The NIST SP 800-172 enhanced safeguards will be required in some circumstances (described below).
- In the past NIST SP 800-171 compliance was self-assessed by DoD contractors but CMMC will require almost all DoD contractors handling CUI to undergo a third-party certification assessment.
Defense and Non-Defense CUI
CUI Category Definition
CUI is divided up into various categories based on the laws, regulations, and government-wide policies that require the government to protect the information. These categories are organized into Organizational Index Groupings, one of which is Defense. Contractors must be able to use the CUI markings to determine what category of CUI a document contains and determine what Organizational Index Grouping the category belongs to because this will determine what type of CMMC Level 2 assessment will be required.
The NARA CUI Markings list and CUI Registry are the definitive source to identify which CUI categories fall into the Defense Organizational Index Grouping.
CUI Category Impact on CMMC Obligations
Defense contractors that only handle CUI categories that do not fall into Defense Organizational Index Grouping can perform a CMMC Level 2 self-assessment. A defense contractor that handles any CUI categories that fall into the Defense Organizational Index Grouping will require at least a CMMC Level 2 C3PAO Certification Assessment.
CMMC Level 2 self-assessments are submitted via the DoD’s SPRS.
A CMMC Level 2 Certification Assessment must be performed by a C3PAO. These are independent assessors that have been approved in accordance with CMMC regulations and the CyberAB CMMC Marketplace contains a list of C3PAOs.
DoD estimates in Table 3 of the Impact and Cost Analysis of CMMC 2.0 tell us that 35% of defense contractors are expected to handle CUI that falls in the Defense Organizational Index Grouping while only 2% of defense contractors are expected to handle CUI that is not in the Defense Grouping. This means that 95% of defense contractors that handle CUI will be required to have a C3PAO certification assessment.
As of the time of publication, the following CUI categories are in the Defense Organizational Index Grouping and would require at least a CMMC Level 2 C3PAO Certification Assessment:
Category Name | Category Marking |
Controlled Technical Information | CTI |
DoD Critical Infrastructure Security Information | DCRIT |
Naval Nuclear Propulsion Information | NNPI |
Privileged Safety Information | PSI |
Unclassified Controlled Nuclear Information - Defense | DCNI |
CUI Enhanced Protections
Enhanced Protection Definition
Determining which CUI requires enhanced protections, and therefore will trigger a CMMC Level 3 requirement, is much more subjective than the other requirements above. DoD states that the enhanced protections will be “applied to safeguard mission critical or unique technologies and programs associated with the following factors/scenarios”:
- CUI associated with a breakthrough, unique, and/or advanced technology
- Significant aggregation or compilation of CUI in a single information system or IT environment
- Ubiquity - when an attack on a single information system or IT environment would result in widespread vulnerability across DoD
The memo refers to a guidebook that will be published at https://aaf.dau.edu/guidebooks, but this does not appear to be live at the time of this post.
Enhanced Protection Handling Impact on CMMC Obligations
Level 3 Certification Assessments are required and for contractors handling CUI that requires Enhanced Protection Requirements and are conducted by the DoD itself via DIBCAC.
Enhanced Protection Changes to CUI Requirements
The CMMC Level 3 requirements are based on the NIST SP 800-172 safeguarding controls for CUI that extend the NIST SP 800-171 safeguards used for other CUI. NIST SP 800-172 is a new framework that has not been previously required. Contractors that handle CUI under CMMC Level 3 contracts will need to implement both the NIST SP 800-171 safeguards, with all the same caveats described for CMMC Level 2 above, as well as the NIST SP 800-172 additional controls on assets in scope for CMMC.
Next Steps
Contractors should immediately begin preparing for the appropriate level CMMC requirements based on the information they are handling or expect to handle in the future. For CMMC Levels 2 and 3 this process begins by documenting a System Security Plan (SSP) for all in-scope systems as per CMMC requirement CA.L2-3.12.4 and a Plan of Action and Milestones (POA&M) for any requirements that are not currently in place.
Unlike other compliance frameworks, the CMMC program differentiates between organizations that help contractors implement compliance (CMMC Registered Practitioner Organizations or RPOs) and organizations that assess contractors for certification or C3PAOs. TrustedSec is a CMMC RPO and is available to help understand and implement CMMC requirements. Get in touch with us if you need assistance!