Cybersecurity Maturity Model Certification (CMMC)
The U.S. Department of Defense (DoD) Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment is implementing the CMMC as a mechanism to help protect DoD intellectual property and sensitive information from cyber security events against prime and sub-contractors. Focusing on the security and resiliency of the DoD’s external supply chain, including members of the Defense Industrial Base (DIB), the CMMC introduces leveling requirements for the domains, practices, and procedures organizations must have certified by a third party assessor in order to compete for most DoD contracts. AWS enables defense contractors to create CMMC-compliant environments to process, maintain, and store DoD data.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC encompasses multiple maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification. DoD contracts will define the required CMMC levels; Level 1 - safeguard Federal Contract Information (FCI), Level 2 - transition to protect Controlled Unclassified Information (CUI), Level 3 - protect CUI, and Levels 4 and 5 - protect CUI and reduce risk of Advanced Persistent Threats (APTs).
The DoD intends to incorporate CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS) and will make certification a requirement for most DoD contracts. Visit https://www.acq.osd.mil/cmmc/index.html to learn more.
Why is CMMC being implemented?
The DoD is transitioning to the new CMMC framework to protect against the theft of DoD sensitive information and intellectual property. The CMMC will assess and enhance the cybersecurity of the Defense Industrial Base (DIB) supply chain and ensure that appropriate cybersecurity practices and processes are in place.
Who needs to be CMMC certified?
The DoD estimates that more than 300,000 organizations will require assessment and certification to one of the five CMMC levels. This includes prime contractors, subcontractors, and generally all organizations that sell or service the DoD.
When is the DoD implementing the CMMC requirement?
The DoD will be phasing CMMC requirements into new contracts beginning in 2020. For 2020, the DoD is planning for 10 Requests for Information (RFI) and 10 Requests for Proposal (RFP) to include CMMC requirements. Over the next five years CMMC requirements will be included in new DoD contracts at an increasing rate, and by FY 2026 nearly all new DoD contracts will include CMMC requirements.
Are there members of the DoD supply chain using AWS now?
A wide range of organizations, programs, and contractors across the DoD supply chain use AWS to transform their business and operations. They leverage AWS to create secure environments to process, maintain, and store U.S. Federal Government data in accordance with DFARS, DoD Cloud Computing Security Requirements Guide (SRG), Federal Risk and Authorization Management Program (FedRAMP), and other federal compliance programs.
You can review case studies to learn how AWS is helping the DoD including the U.S. Defense Logistics Agency, U.S. Air Force, U.S. Navy, and U.S. Special Operations Command, as well as DoD contractors like Lockheed Martin, Raytheon, and GDIT. For more information on how AWS meets the high security requirements of the DoD, see the Cloud Computing for Defense webpage.
How does my organization get certified?
An independent, non-profit Accreditation Body (AB) has been established by the CMMC to train and accredit individual assessors from Certified Third-Party Assessment Organizations (C3PAOs). The CMMC-AB plans to launch a CMMC Marketplace for DoD contractors to view, select, and engage with approved C3PAOs for assessments and certifications.
DoD contractors will undergo an independent security assessment by a C3PAO every three years, and will be certified to a specific CMMC maturity level. The CMMC-AB will provide the requisite information and updates on its website: https://www.cmmcab.org.
Is AWS CMMC certified?
The CMMC-AB has yet to identify and certify assessors and C3PAOs, and has not created the CMMC-AB marketplace which will provide the list of C3PAOs that have been certified to perform assessment. AWS is collaborating with the DoD and the CMMC-AB on the requirements and certification process.
Does AWS provide solutions to help with CMMC certification?
AWS is collaborating with the DoD and the CMMC-AB on CMMC requirements to help accelerate adoption and certification across the Defense Supply Chain (DSC). The CMMC-AB is in the process of identifying and training the certified CMMC assessors and C3PAOs, defining the certification process, detailing FedRAMP reciprocity, and creating the CMMC marketplace. AWS intends to provide CMMC solutions for customers that will accelerate their CMMC certification and reduce their level of effort and risk. AWS plans on offering CMMC solutions that include automated deployment capabilities, reference architectures, CMMC practices responsibility matrix, potential FedRAMP authorization inheritance (once defined by DoD), and supporting certification documentation for customers to leverage as they pursue their CMMC certification. AWS intends to provide customers the flexibility to deploy and certify AWS CMMC solutions across our regions (N. Virginia, AWS GovCloud (US), etc.) based on the requirements of their business and DoD programs.
If you have questions regarding CMMC or DoD compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.