CMMC - eResilience

RESOURCES

NEW 48 CFR Proposed Ruling Published by DoD

The Federal Register has published a proposed 48 CFR ruling "Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)" This proposed ruling would amend the DFARS to incorporate contractual requirements related to the CMMC program. Public comments will be accepted for 60 days after the date of publication in the Federal Register. Link | Download

NEW eResilience article on cyber assurance for prime contractor bidding teams

A new Contract Management magazine article from eResilience discusses supply chain cyber compliance risk and explores issues and strategies that prime contractors should be aware of when sharing CUI with suppliers and subcontractors. This article appeared in the August 2024 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission. Link | Download

NEW Briefing: Appropriate Use of CUI in the DoD

The DoD Office of the Undersecretary of Defense for Intelligence and Security (I&S) released a set of briefing slides providing information on DoD implementation of the CUI program. Link | Download

NEW DoD issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems

The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of "the version of NIST SP 800-171 in effect at the time the solicitation is issued". This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded. Link | Download

NEW Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities

The DoD released a final rule that revises eligibility criteria for the voluntary DIB Cybersecurity Program, allowing all contractors who handle CDI (DoD CUI) to benefit from bilateral information sharing, which was previously available only to cleared contractors. This ruling also replaces the need for a Medium Assurance Certificate to access the DIBNet portal for cyber incident reporting by allowing registration for DIBNet access through the Procurement Integrated Enterprise Environment (PIEE). Link | Download

NEW Cybersecurity Maturity Model Certification (CMMC) Program: Proposed Final Ruling

The DoD has released the proposed final ruling for the CMMC program. Link | Download

NEW Initial Public Draft: NIST SP 800-171 Rev. 3 (Draft)

NIST has released the initial public draft of SP 800-171 Revision 3, which includes updates to the security requirements and families, updated tailoring criteria, and other enhancements. Link | Download

DRAFT: CMMC Assessment Process (CAP)

This "Pre-Decisional Draft" CAP document details the proposed CMMC Assessment Process that will be utilized by certified Assessors when conducting evidence-based assessments for CMMC Level 2 certification. Note that this document is still in draft form and not yet considered final. Link | Download

CMMC

Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012

The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download

DoD CIO taking over CMMC program

The DoD has announced that the DoD CIO will be taking over the responsibility for the CMMC program, effective immediately. The office formerly responsible for CMMC (CISO, USD A&S), will be disestablished, and CMMC implementation will continue under the direction of the DoD CIO. Link | Download

CMMC 2.0: Level 1 Self-Assessment Guide

The DoD has released the new Assessment Guide for CMMC 2.0 Level 1. This document provides guidance for companies to correctly perform their Level 1 self-assessments, which must be conducted annually, reported to SPRS, and affirmed by a senior company official when contracts require CMMC 2.0 Level 1. Link | Download

CMMC 2.0 Model and Scoping Guidance

The DoD has released details of the new CMMC 2.0 Model, along with scoping guidance for Level 1 "Foundational" and Level 2 "Advanced" certification, as well as a CMMC 2.0 Artifact Hashing Guide.

CMMC 2.0 Model: Link |Download
CMMC 2.0 Level 1 Scoping: Link |Download
CMMC 2.0 Level 2 Scoping: Link |Download
CMMC 2.0 Artifact Hashing Tool User Guide: Link |Download

CMMC 2.0 Announced

The DoD has announced an update to the Cybersecurity Maturity Model Certification (CMMC) program. CMMC 2.0 will incorporate many important changes to the planned implementation of CMMC. Link

CMMC Level 1 and Level 3 Assessment Guides

The CMMC Assessment Guide for Level 3 provides information about the assessment objectives and types of evidence that assessors will need to review in order to validate the successful implementation of CMMC practices and processes. Link| Download (Level 1) Link | Download (Level 3)

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

The DoD has issued an interim rule to amend the DFARS cybersecurity regulations to implement a DoD Assessment Methodology and Cybersecurity Maturity Model (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Comments on the interim rule should be submitted in writing on or before 60 days after date of publication in the Federal Register.) Link | Download

UPDATE: DFARS Frequently Asked Questions (rev 3): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76

This update to the DFARS Cyber FAQs provides important new information and answers to additional questions. Link | Download

Cybersecurity Maturity Model Certification (CMMC) Version 1.0 Released (January 31, 2020)

The DoD has released the official version of CMMC v1.0. This document is effective immediately and provides clarification on what the requirements will be for each level of CMMC certification.

DoD CMMC Model Main Documentation V1.0: Link | Download

DoD official release of CMMC Model V1.0 Completed Public Briefing: Link | Download
DoD CMMC Model Appendices V1.0: Link | Download

Cybersecurity Maturity Model Certification (CMMC) DRAFT Version 0.7 (December 6, 2019)

Version 0.7 of the draft CMMC is a complete model that includes all levels from 1 through 5, along with appendices that provide clarifications and discussion points. Link | Download

Cybersecurity Maturity Model Certification (CMMC) DRAFT Version 0.6 (November 7, 2019)

This is the most recent draft of the CMMC, taking into account industry feedback that was received by DoD after releasing CMMC Draft version 0.4 for public comments in September 2019. Link | Download

Cybersecurity Maturity Model Certification (CMMC) Draft v0.4 – Model (September 4, 2019)

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released the Cybersecurity Maturity Model Certification (CMMC) version 0.4 for stakeholder feedback. Link | Download

- Overview Briefing of the release: Link | Download

Establishment of the Chief Information Security Office Memorandum (July 24, 2019)

This memo from Kevin Fahey, Assistant Secretary of Defense for Acquisition, establishes the CISO office with Katie Arrington as CISO. This establishes her authority to implement the CMMC program. Download

Cybersecurity Maturity Model Certification (CCMC) Website (June 2019)

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) launched a website that hosts additional background on the proposed CMMC, including a list of FAQs. Link

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_gat_gtag_UA_136970874_1	1 minute	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description