What is CMMC?
The United States Department of War (DoW) has published a new Cybersecurity Maturity Model Certification (CMMC) Program. If you are a defense contractor or sub-contractor, you have until November 1st 2026 to conclude CMMC Level 1 and Level 2 self-assessments. The program tackles both Federal Contract Information (FCI) (provided by or generated for the Government under a contract and not intended for public release) and Controlled Unclassified Information (CUI) (the government or an entity behalf of it create or possess, and although unclassified it is used under safeguarding or dissemination controls).
Level 1 is based on the 15 requirements in FAR (Federal Acquisition Regulation) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems: These are basic safeguarding requirements and procedures to protect covered contractor information systems. Among other things it includes authentication and access management, handling of external connections and exposure of information to the public, device management, network segmentation, physical security, malicious code protection, etc. Final Level 1 Self-Assessment, once affirmed, is Current for one year from the Assessment date.
Level 2 is based on DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting including 110 controls from NIST SP 800-171 R2, which has been superseded in May 2024 by NIST SP 800-171 Rev. 3.
Level 2 Final Assessments, once affirmed, are Current for three years but require annual reaffirmation. If the vendor fails to reaffirm the assessment by the deadline, it will show ‘No CMMC; status until the affirmation is completed and will not be considered Current.
CMMC Level 2 requires in the future an external assessment by CMMC Third-Party Assessment Organization (C3PAO) and CMMC Level 3 by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
CMMC Third Party demands
As DoW contractors often rely on subcontractors, CMMC puts an emphasis on TPRM. That includes, among other things: Compliance of any subcontractor holding CUI (It is required to hold level 2 confirmation) and FCI (level 1 confirmation); External Service Providers (ESPs) which has excess to the network, data or security controls are required to hold a level 2 confirmation; Boundaries of responsibilities with subcontractors should be defined; A risk assessment and evidence gathering of the subcontractors must be implemented; Cloud suppliers must be FedRAMP-authorized services; etc.
How can Rescana help with CMMC compliance?
Rescana, especially with its AI-augmented capabilities, can help your organization in the compliance process of CMMC in the following ways:
- Organizational compliance: Rescana can support to screen the organizational compliance, identify gaps, create relevant reports, and handle the compliance process.
- Integration to overall compliance: Rescana can support a process of integrating CMMC into the overall organizational compliance and refrain from unnecessary double effort.
- TPRM compliance: Rescana can manage the overall process of subcontractors CMMC compliance.
- Preparation to C3PAO and DIBAC assessments: Rescana can map your CMMC compliance and prepare reports for the level 2 and level 3 external assessments.
- On going compliance: Rescana can support the ongoing and annual compliance of the organizations and subcontractors.
