Cybersecurity Maturity Model Certification (CMMC)
The U.S. Department of Defense (DoD) Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment is implementing the CMMC as a mechanism to help protect DoD intellectual property and sensitive information from cyber security events against prime and sub-contractors. Focusing on the security and resiliency of the DoD’s external supply chain, including members of the Defense Industrial Base (DIB), the CMMC introduces leveling requirements for the domains, practices, and procedures organizations must have certified by a third party assessor in order to compete for most DoD contracts. AWS enables defense contractors to create CMMC-compliant environments to process, maintain, and store DoD data.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.” The CMMC encompasses multiple maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification. DoD contracts will define the required CMMC levels; Level 1 - safeguard Federal Contract Information (FCI), Level 2 - transition to protect Controlled Unclassified Information (CUI), Level 3 - protect CUI, and Levels 4 and 5 - protect CUI and reduce risk of Advanced Persistent Threats (APTs). Visit the CMMC website to learn more.
Why is CMMC being implemented?
The DoD is transitioning to the new CMMC framework to protect against the theft of DoD sensitive information and intellectual property. The CMMC framework will assess and enhance the cybersecurity of the Defense Industrial Base (DIB) supply chain and verify that appropriate cybersecurity practices and processes are in place.
Who needs to be CMMC certified?
The DoD estimates that more than 300,000 DIB organizations will require assessment and certification to one of the five CMMC levels. This includes prime contractors, subcontractors, and generally all organizations that sell or service the DoD. CMMC level requirements will be issued individually by DoD contract.
When is the DoD implementing the CMMC requirement?
The DoD will incrementally phase in CMMC requirements on DoD request for proposals (RFPs) and contracts beginning in April 2021, with full implementation targeted for 2026. DoD has identified 15 initial acquisitions, referred to as Pilots, to participate in the initial CMMC rollout. Over the next five years CMMC requirements will be included in new DoD contracts at an increasing rate, with nearly all new DoD contracts including CMMC requirements by 2026.
Are there members of the DoD supply chain using AWS now?
A wide range of organizations, programs, and contractors across the DoD supply chain use AWS to transform their business and operations. They leverage AWS to create secure cloud environments to process, maintain, and store U.S. Federal Government data in accordance with Defense Federal Acquisition Regulation Supplement (DFARS), DoD Cloud Computing Security Requirements Guide (SRG), Federal Risk and Authorization Management Program (FedRAMP), and other federal compliance programs.
You can review case studies to learn how AWS is helping the DoD including the U.S. Defense Logistics Agency, U.S. Air Force, U.S. Navy, and U.S. Special Operations Command, as well as DoD contractors like Lockheed Martin, Raytheon, and GDIT. For more information on how AWS meets the high security requirements of the DoD, see the Cloud Computing for Defense webpage.
How does the new DoD “Interim Rule” affect my organization?
On September 29, 2020, DoD published an “Interim Rule” that established three new DFARs requirements, effective November 30, 2020, and expanded upon the DFARS requirement, 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The “Interim Rule” expanded upon the initial rule and established three new requirements by (1) mandating a self-assessment (DFARS 252.204-7019) every three years, (2) reporting the results of the self-assessment to DoD Supplier Performance Risk System (SPRS) (DFARS 252.204-7020), and (3) requiring DoD Acquisition Officers to include DFARS rule 252.204-7021, CMMC Requirements in future DoD acquisitions.
How does my organization get certified?
DoD created the CMMC Advisory Board (CMMC-AB) to be an independent organization that is responsible for administering the CMMC certification process for C3PAO, assessors, and DIB entities. C3PAO assessors will assess organizations using the CMMC levels as criteria. The Defense Contract Management Agency (DCMA) announced their intent to certify C3PAOs as CMMC Level 3 certified beginning in March 2021. The CMMC-AB maintains a CMMC Marketplace that identifies C3PAOs at https://cmmcab.org/marketplace/.
Is AWS CMMC certified?
AWS has completed a NIST SP 800-171 assessment by an independent third party assessment organization (3PAO) and implemented all 110 controls from SP 800-171. AWS has engaged a C3PAO to perform a CMMC assessment and is waiting for its C3PAO to become "certified" by DCMA.
Do cloud services need to be CMMC certified?
No. CMMC is a certification that measures the DIB contractor’s cybersecurity capabilities and processes compared to the requirements for a specific CMMC level.
Does AWS provide CMMC reciprocity with other compliance programs?
No. The OUSD(A&S) has not defined how other compliance programs such as FedRAMP, ISO 27001 Information Security Management, or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments will map to CMMC levels in the DoD “Interim Rule” or CMMC version 1.02. OUSD(A&S) announced their intent to grant reciprocity to other compliance programs in version 2.0 of the CMMC.
Does AWS provide solutions and compliance documentation to help with CMMC certification?
AWS is collaborating with the DoD and the CMMC-AB on CMMC requirements and developing solutions to help customers accelerate their deployment and certification. On December 22, 2020, AWS released the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) to help customers deploy foundational AWS infrastructure to support an automated, secure, scalable, multi-account environment based on AWS best practices in the AWS GovCloud (US) Regions. The solution is designed to meet requirements prescribed by the DoD for CMMC as well as DoD Cloud Computing Security Requirements Guide (CC SRG) Impact Levels (IL) 4 and IL 5 workloads in the cloud.
For more information on AWS CMMC compliance documentation, and how to access, please contact your AWS Account Manager or Contact Us.
Does AWS Professional Services support customers in meeting their CMMC compliance requirements?
Yes. AWS Professional Services consultants are trained on the AWS Compliance Framework for Federal and DoD Workloads in AWS GovCloud (US), and are able to support customer implementations that address CMMC compliance challenges.
Which AWS Region(s) should I use to deploy our CMMC cloud environment?
AWS intends to provide customers the flexibility to deploy and certify AWS CMMC solutions across standard and restricted regions (US East/West, AWS GovCloud (US), etc.) based on the requirements of their business and DoD programs and contracts.
If you have questions regarding CMMC or DoD compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.