The defense industrial base is facing increasingly frequent and complex cyber attacks – and to increase security, the U.S. Department of War (DoW) has developed the Cybersecurity Maturity Model Certification (CMMC) Program. CMMC assesses defense contractor compliance with existing information safeguarding requirements for federal contract information (FCI) and controlled unclassified information (CUI).
The program provides the DoW with increased assurance that prospective contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that will process, store, or transmit FCI or CUI during contract performance.
- Compliance with cybersecurity standards is assessed at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. The program also outlines protection requirements for information flowed down to subcontractors.
- Assessments allow the DoW to verify implementation of foundational cybersecurity standards.
- DoW contractors and subcontractors entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award.
Definitions
Federal Contract Information (FCI)
FCI is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but does not include information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. FCI is not specifically marked, but is non-public data that must meet basic cybersecurity protections (FAR 52.204-21).
Controlled Unclassified Information (CUI)
CUI is all unclassified information throughout the executive branch that requires any safeguarding or dissemination control. Law, regulation (to include this part), or government-wide policy must require or permit such controls. Agencies therefore may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI. CUI is explicitly defined, labeled, and requires specialized, mandated safeguards (NIST SP 800-171).
Levels of compliance
Level 1
Basic Safeguarding of FCI: the university must complete an annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.
Level 2
Broad Protection of CUI: the university must complete an assessment (self or authorized independent) and provide annual affirmation of compliance with the 110 security requirements in NIST SP 800-171 Revision 2.
Level 3
Higher-Level Protection of CUI Against Advanced Persistent Threats: This level requires
- Achieving CMMC Status of Final Level 2;
- Assessment every three years by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC); and
- Providing an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
What this means for researchers
Ohio State received its first contract with the CMMC compliance language in January, so researchers began to see the requirements in DoW contracts at this time. Each contract will specify which CMMC level needs to be achieved to fulfill the requirement.
- For proposals, provision DFARS notice 252.204–7025 will be included.
- For contracts, DFARS clause 252.204–7021 will be included.
Level 1
If the contract includes a CMMC L1 clause, you will need to use a university-owned and managed computer to manage all data for the project.
Level 2
A working group has been established through the Research Security Governance Board, and unit information technology security professionals coordinate CMMC L2 compliance by November 2026, including the required assessments. More information will be provided as the university works through implementation.