Cybersecurity Maturity Model Certification (CMMC)

Overview


The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements.
 
The framework has three key features:
  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

FAQs


  • CMMC 2.0 is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
  • On December 3, 2021, the DoD released the CMMC 2.0 Model Overview. The CMMC 2.0 model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 per Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

    CMMC Level 1 (Foundational) for companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic safeguarding practices; CMMC Level 1 Scoping Guidance

    CMMC Level 2 (Advanced) for companies with CUI; will require the 110 practices from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information; CMMC Level 2 Scoping Guidance

    CMMC Level 3 (Expert) for the highest priority programs with CUI; will use a subset of NIST SP 800-172; will be assessed by government officials.

  • Cybersecurity is a top priority for the Department of Defense.

    The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard information.
  • Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
  • The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.  The DoD’s estimate for the completion of that process is 9-24 months from November 2021.      

    Once CMMC 2.0 is implemented, the DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

  • A wide range of organizations, programs, and contractors across the DoD supply chain use AWS to transform their business and operations. They leverage AWS to create secure cloud environments to process, maintain, and store U.S. Federal Government data in accordance with Defense Federal Acquisition Regulation Supplement (DFARS), DoD Cloud Computing Security Requirements Guide (SRG), Federal Risk and Authorization Management Program (FedRAMP), and other federal compliance programs.

    You can review case studies to learn how AWS is helping the DoD including the U.S. Defense Logistics Agency, U.S. Air Force, U.S. Navy, and U.S. Special Operations Command, as well as DoD contractors like Lockheed Martin, Raytheon, and GDIT. For more information on how AWS meets the high security requirements of the DoD, see the Cloud Computing for Defense webpage.

  • The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

    Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC 2.0 framework.
  • No. CMMC measures a DIB contractor’s cybersecurity capabilities and processes compared to the requirements for a specific CMMC level.  

    As a Cloud Service Provider (CSP), AWS is authorized by FedRAMP at FedRAMP High and by the Defense Information Systems Agency (DISA) at SRG Impact Levels 2, 4, and 5.
  • No. The DoD has not yet defined how other compliance programs such as FedRAMP or ISO 27001 Information Security Management will map to CMMC 2.0 levels.
  • The AWS CMMC Customer Package provides a breakdown of the CMMC Level 2 / NIST SP 800-171 security controls that customers can inherit from AWS by using the AWS Landing Zone Accelerator  in the AWS GovCloud (US).

    The AWS CMMC Customer Package is available for customer download in AWS Artifact in both the AWS Standard and the AWS GovCloud (US) regions. 

  • Yes. AWS Professional Services consultants are trained on the AWS Landing Zone Accelerator in the AWS GovCloud (US), and are able to support customer implementations that address CMMC compliance challenges. 

  • AWS intends to provide customers the flexibility to deploy and certify AWS CMMC 2.0 solutions across standard and restricted regions (US East/West, AWS GovCloud (US), etc.) based on the requirements of their business and DoD programs and contracts.

CMMC Resources


For more information about the AWS solutions and services that support our customers’ DFARS, NIST SP 800-171 or CMMC requirements, please contact us at cmmconaws@amazon.com 

 Landing Zone Accelerator on AWS  DFARS with AWS  AWS Public Sector Blogs on CMMC  AWS GovCloud (US)  FedRAMP Compliance

If you have questions regarding CMMC or DoD compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »