Cybersecurity Maturity Model Certification (CMMC)

Overview

• What is CMMC 2.0?

  CMMC 2.0 is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.

• What are the new levels in CMMC 2.0?

  On December 3, 2021, the DoD released the CMMC 2.0 Model Overview. The CMMC 2.0 model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 per Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

  CMMC Level 1 (Foundational) for companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic safeguarding practices; CMMC Level 1 Scoping Guidance

  CMMC Level 2 (Advanced) for companies with CUI; will require the 110 practices from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information; CMMC Level 2 Scoping Guidance

  CMMC Level 3 (Expert) for the highest priority programs with CUI; will use a subset of NIST SP 800-172; will be assessed by government officials.
  

• Why is CMMC 2.0 being implemented?

  Cybersecurity is a top priority for the Department of Defense.
  
  The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard information.
  

• Who needs to be CMMC certified?

  Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

• When is the DoD implementing the CMMC 2.0 requirement?

  The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.  The DoD’s estimate for the completion of that process is 9-24 months from November 2021.      
  
  Once CMMC 2.0 is implemented, the DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

• Are there members of the DoD supply chain using AWS now?

  A wide range of organizations, programs, and contractors across the DoD supply chain use AWS to transform their business and operations. They leverage AWS to create secure cloud environments to process, maintain, and store U.S. Federal Government data in accordance with Defense Federal Acquisition Regulation Supplement (DFARS), DoD Cloud Computing Security Requirements Guide (SRG), Federal Risk and Authorization Management Program (FedRAMP), and other federal compliance programs.

  You can review case studies to learn how AWS is helping the DoD including the U.S. Defense Logistics Agency, U.S. Air Force, U.S. Navy, and U.S. Special Operations Command, as well as DoD contractors like Lockheed Martin, Raytheon, and GDIT. For more information on how AWS meets the high security requirements of the DoD, see the Cloud Computing for Defense webpage.
  

• How does the new DoD “Interim Rule” affect my organization?

  The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.
  
  Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC 2.0 framework.

• Do cloud services need to be CMMC certified?

  No. CMMC measures a DIB contractor’s cybersecurity capabilities and processes compared to the requirements for a specific CMMC level.  
  
  As a Cloud Service Provider (CSP), AWS is authorized by FedRAMP at FedRAMP High and by the Defense Information Systems Agency (DISA) at SRG Impact Levels 2, 4, and 5.

• Does AWS provide CMMC 2.0 reciprocity with other compliance programs?

  No. The DoD has not yet defined how other compliance programs such as FedRAMP or ISO 27001 Information Security Management will map to CMMC 2.0 levels.

• Does AWS provide solutions and compliance documentation to help with CMMC 2.0 compliance?

  The AWS CMMC Customer Package provides a breakdown of the CMMC Level 2 / NIST SP 800-171 security controls that customers can inherit from AWS by using the AWS Landing Zone Accelerator  in the AWS GovCloud (US).

  The AWS CMMC Customer Package is available for customer download in AWS Artifact in both the AWS Standard and the AWS GovCloud (US) regions. 

• Does AWS Professional Services support customers in meeting their CMMC compliance requirements?

  Yes. AWS Professional Services consultants are trained on the AWS Landing Zone Accelerator in the AWS GovCloud (US), and are able to support customer implementations that address CMMC compliance challenges. 

• Which AWS Region(s) should I use to deploy our CMMC 2.0 cloud environment?

  AWS intends to provide customers the flexibility to deploy and certify AWS CMMC 2.0 solutions across standard and restricted regions (US East/West, AWS GovCloud (US), etc.) based on the requirements of their business and DoD programs and contracts.