While the Defense Department’s Cybersecurity Maturity Model Certification program has yet to be fully implemented, defense contractors are working through the complex process of conducting a Level 1 self-assessment, referred to by experts as “basic cyber hygiene.”
The program, known as CMMC, is the Defense Department’s mechanism to assess whether companies and contractors that handle sensitive unclassified information are compliant with the department’s cybersecurity requirements.
Contrary to popular belief, the Defense Department’s cybersecurity requirements have been around for a long time, said Logan Therrien, chief strategy officer at Kieri Solutions. “They are something that has been expected to have been implemented in organizations, and then the CMMC is just the assessment verification process making sure it’s being implemented.”
Specifically, the program is designed to determine whether companies have the correct measures in place to protect federal contract information, or FCI, and controlled unclassified information, or CUI, shared with defense contractors and subcontractors.
Federal contract information refers to information “not intended for public release that is provided by or generated for the government,” Therrien said during a recent webinar hosted by the National Defense Industrial Association. “Under a contract, the developer delivers a product or a service to the government, not including information provided by the government to the public. So, that’s a good delineation right there and then, or simple transactional information, such as information that’s needed to process payments.”
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, according to the Code of Federal Regulations.
If one thinks of federal contract information as a big circle, inside that circle “is a smaller circle that’s labeled CUI, and what that means is that CUI is also FCI,” Therrien said. Not all federal contract information is controlled unclassified information, but controlled unclassified information falls under federal contract information.
