Navigating CMMC Compliance for Your Defense Contractor Website

The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the Department of Defense (DoD) to enhance the cybersecurity posture of the Defense Industrial Base (DIB). It is designed to ensure that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on or transits their information systems. For defense contractors operating websites that handle FCI or CUI, understanding and implementing the relevant CMMC requirements is crucial for maintaining eligibility for DoD contracts. This article provides an in-depth overview of CMMC compliance as it pertains to a defense contractor's website, drawing upon the current CMMC framework.

Understanding the CMMC Levels and Your Website

The CMMC model comprises three distinct levels, each with increasing cybersecurity requirements. The level a defense contractor must achieve is typically specified in the contract solicitation based on the sensitivity of the information involved.

• CMMC Level 1: Foundational Cybersecurity
  • Level 1 is the baseline and requires the implementation of 15 security requirements currently mandated by FAR clause 52.204-21. These requirements are considered elementary for basic cybersecurity.
  • Assessment: Compliance at Level 1 is verified through a self-assessment conducted by the Organization Seeking Assessment (OSA).
  • Scope: For a website at Level 1, the scoping includes all assets that process, store, or transmit Federal Contract Information (FCI). If your website handles FCI, it falls within the Level 1 assessment scope.
  • Reporting: The results of the Level 1 self-assessment and an affirmation of compliance must be electronically entered into the Supplier Performance Risk System (SPRS).
  • POA&M: The provided sources do not explicitly mention the allowance of Plan of Action and Milestones (POA&Ms) for Level 1 assessments. To satisfy Level 1 requirements, a POA&M is not allowed.

• CMMC Level 2: Advanced Cybersecurity
  • Level 2 requires adherence to the 110 security requirements outlined in NIST SP 800-171 Rev 2. This level does not add any additional security requirements beyond those in NIST SP 800-171 Rev 2.
  • Assessment: Level 2 compliance can be achieved through either a self-assessment conducted by the OSA or a certification assessment performed by an authorized or accredited CMMC Third-Party Assessment Organization (C3PAO). The specific type of assessment required will be stipulated in the contract. Organizations cannot self-assess for certification.
  • Scope: The Level 2 assessment scope encompasses all assets that process, store, or transmit Controlled Unclassified Information (CUI), as well as all assets that provide security protections for these CUI-handling assets. If your website handles CUI, it and its supporting security infrastructure are within the Level 2 scope.

• Reporting:
  • For self-assessments, results and affirmations are entered into SPRS. A Conditional or Final Self-Assessment is achieved based on the scoring and whether POA&Ms exist.
  • For certification assessments, the C3PAO enters assessment information into the CMMC Enterprise Mission Assurance Support Service (eMASS), which then transmits results to SPRS. Affirmations are also required.
• POA&M: Level 2 allows for POA&Ms in both self and certification assessments under specific CMMC requirements. A POA&M may lead to a Conditional assessment, but it must be closed out within 180 days. Certain critical Level 2 security requirements cannot be part of a POA&M and must be fully implemented at the time of assessment.
• CMMC Level 3: Expert Cybersecurity
  • Level 3 builds upon Level 2 and incorporates an additional 24 selected security requirements from NIST SP 800-172, as detailed in table 1 to § 170.14(c)(4). These added requirements are designed to enhance protection against Advanced Persistent Threats (APTs).
  • Assessment: Achieving Level 3 requires a certification assessment performed by the DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on behalf of the DoD. Self-assessment results are not accepted for Level 3 certification. Critically, a Level 3 assessment can only occur after the Organization Seeking Certification (OSC) has already achieved a CMMC Level 2 Final Certification Assessment for the same assessment scope.
  • Scope: The Level 3 scope includes assets that process, store, or transmit CUI, as well as assets that can but are not intended to (Contractor Risk Managed Assets - CRMAs) within the same assessment scope; these CRMAs become CUI Assets at Level 3. The Level 3 scope may be a subset of the Level 2 scope. Specialized Assets are also included in the Level 3 scope.
  • Reporting: DCMA DIBCAC electronically enters Level 3 certification assessment information into the CMMC instantiation of eMASS, which then automatically transmits the results to SPRS. Affirmations are required upon completion and annually thereafter, in addition to the ongoing Level 2 affirmation requirement.
  • Prerequisites: A crucial prerequisite for Level 3 is having already achieved a CMMC Level 2 Final Certification Assessment for the intended Level 3 assessment scope. Any open POA&M items from the Level 2 assessment must be closed.
  • POA&M: Level 3 allows for POA&Ms under specific conditions. This includes achieving a minimum assessment score (greater than or equal to 0.8) and excluding certain critical security requirements listed in § 170.21(a)(3) and § 170.21(a)(3)(i)-(VII). The POA&M must be closed out within 180 days via a POA&M Closeout assessment performed by DCMA DIBCAC.

Scoping Your Website for CMMC Assessment

Defining the CMMC Assessment Scope is a critical initial step. This scope represents the boundary of all assets that will be assessed against the CMMC security requirements. The scoping requirements differ for each CMMC level. For a website, this includes not just the web server itself but also any associated databases, network infrastructure, endpoints used to manage the website, and any cloud services involved.

• Level 1: Includes all information systems that process, store, or transmit FCI.
• Level 2: Encompasses all assets that process, store, or transmit CUI, and all security protection assets (SPAs) that provide security functions for these CUI assets. SPAs include firewalls, intrusion detection systems, and multi-factor authentication mechanisms.
• Level 3: Includes assets that process, store, or transmit CUI, as well as CRMA assets that can but are not intended to process, store, or transmit CUI (these become CUI Assets at Level 3). Specialized Assets, which cannot be fully secured (like IoT devices or GFE), are also part of the Level 3 scope. The Level 3 scope can be a subset of the Level 2 scope, allowing for a more focused assessment of a specific enclave.

For a website handling CUI and aiming for Level 2 or 3, the assessment scope must clearly identify all components involved in processing, storing, or transmitting that CUI, as well as the security controls protecting it. This should be documented in the System Security Plan (SSP) and network diagrams.

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

In an era where critical infrastructure systems—such as power grids, water treatment facilities, and transportation networks—are increasingly interconnected, the vulnerability to cyber threats has escalated. Recognizing this pressing issue, the Naval Information Warfare Center (NIWC) Atlantic has developed the More Situational Awareness for Industrial Control Systems (MOSAICS) framework.

Compliance Hub WikiCompliance Hub

External Service Providers (ESPs) and Your Website

If your website relies on External Service Providers (ESPs), such as hosting providers or managed security service providers, their role in handling FCI or CUI significantly impacts your CMMC compliance.

• An ESP that does not process CUI or Security Protection Data (SPD) does not meet the CMMC definition of an ESP requiring specific consideration. However, their services would still be part of the OSA's assessment scope.
• ESPs can voluntarily undergo their own CMMC Level 2 C3PAO assessment, with the scope covering services provided to clients. In such cases, the Organization Seeking Assessment (OSA) must have a System Security Plan (SSP) that shows how select security requirements are performed by the ESP.
• If an OSA seeking CMMC Level 3 Certification uses an ESP (other than a Cloud Service Provider), that ESP must also have a CMMC Level 3 Final Certification Assessment for the services provided within the assessment scope [Our conversation history].
• Cloud Service Providers (CSPs) have specific considerations:
  • If a CSP processes, stores, or transmits CUI, the cloud offering must be FedRAMP-authorized at the Moderate level or higher [Our conversation history].
  • Alternatively, if not FedRAMP authorized, the CSP's offering must meet security requirements equivalent to the FedRAMP Moderate or High baseline, which the OSA and assessors will review [Our conversation history]. This equivalency review often involves examining the CSP's SSP and a Customer Responsibility Matrix (CRM) mapping to NIST SP 800-171 Rev 2 [Our conversation history, 145, 151, 157].
  • If a CSP does not process, store, or transmit CUI, FedRAMP authorization is not required, and their services are considered Security Protection Assets (SPAs) within the OSA's scope [Our conversation history].

It is essential to have contractual agreements with ESPs handling CUI that mandate they meet the required CMMC levels or FedRAMP equivalency. The assessment scope must include the ESP's relevant services and infrastructure as SPAs.

Reporting and Submission Processes

The reporting and submission requirements vary depending on the CMMC level and the type of assessment conducted.

• Level 1 Self-Assessments and Level 2 Self-Assessments require the OSA to electronically enter results and affirmations into SPRS.
• Level 2 Certification Assessments involve the C3PAO entering assessment information into eMASS, which then transmits the results to SPRS. Affirmations are also submitted.
• Level 3 Certification Assessments require DCMA DIBCAC to enter information into the CMMC instantiation of eMASS, with automated transmission to SPRS. Affirmations are also necessary.

Plan of Action and Milestones (POA&Ms)

POA&Ms are allowed under specific conditions for CMMC Levels 2 and 3 to address security requirements that are not fully met at the time of the initial assessment.

• Level 2: POA&Ms are permitted in both self and certification assessments and must be closed out within 180 days. Certain critical Level 2 security requirements cannot be included in a POA&M.
• Level 3: POA&Ms are also allowed but require achieving a minimum initial assessment score (≥ 0.8) and exclude specific critical security requirements. Closure must occur within 180 days via a POA&M Closeout assessment performed by DCMA DIBCAC. Any open POA&M items from a prerequisite Level 2 certification must be closed before a Level 3 assessment.

Conclusion

Complying with CMMC requirements for a defense contractor's website that handles FCI or CUI is a multifaceted process. It necessitates a clear understanding of the required CMMC level, the associated security requirements, the applicable assessment procedures, and the definition of the assessment scope, including any reliance on External Service Providers. By adhering to the guidelines outlined in the CMMC framework and the relevant standards like NIST SP 800-171 and NIST SP 800-172, defense contractors can ensure the security of sensitive government information and maintain their ability to participate in DoD contracts. The phased implementation of CMMC underscores the importance of proactive preparation to meet these evolving cybersecurity standards. Continuous monitoring and adherence to the CMMC requirements are essential for sustained compliance.