CMMC Series Part 1: The Background & Timeline for 2021

Learn the differences between Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and Controlled Technical Information (CTI) within the Cybersecurity Maturity Model Certification (CMMC) standard.
Figure out which CMMC Level you may be required to meet.
Get an up-to-date timeline for early 2021 CMMC assessment preparation.

General Overview of Types of Information and the Protection they Require

Federal Contract Information (FCI)

FCI is information that is not intended for public release but doesn’t meet the level of CUI-required protection. The current contractual obligation comes from the FAR clause 52.204-21.

CMMC Level 1 starts at general FCI.

Controlled Unclassified Information (CUI)

CUI is a sensitive, unclassified type of FCI under the control of agencies and services. Because there are different ways of managing data, this has to be carefully regulated by the Information Security Oversight Office (ISOO). The current contractual obligation for CUI was established by an executive order by President Barack Obama in 2016, through the DFARS Clause 252.204-2012.

CUI can be classified as Basic or Specified, and can be either electronic and stored on a PC or it can be in print format. But no matter the form, and no matter how seemingly inconsequential, organizations are required to have proper marking and protections in place. It must be consistently safeguarded with a law, regulation, or government policy.

As detailed in the CUI registry, there are 24 categories of CUI, 92 sub-categories, and 110 types. Should the government find a need to protect data that doesn’t yet fall under one of the existing categories, sub-categories, or types, they can add it to the registry.

Controlled Technical Information (CTI)

CTI is a category of CUI which has to do with military and space applications. The starting level of CMMC required for CTI is Level 3, which is essentially NIST SP 800-171 with an additional 20 controls).

The contractual obligation is dictated by DFARS clause 252.24-7012, which states that organizations should follow NIST 800-171 and properly implement it, or at least have a Plan of Action and Milestones (POA&M) for non-compliant controls.

The 2021 CMMC Timeline

The first six months of 2021 are still murky for CMMC. But it’s the first two quarters that will be some of the most formative in terms of the program structure moving into the next 5 years, which is when all DoD contractors and subcontractors will have to complete the CMMC.

January: Assessments will begin being submitted for a score. All assessments must be completed by a certified third party organization (C3PAO) or registered provider organization (RPO).

Q1 overall: A formal training program will begin where, publicly, experts will be able to become certified a certified professional or assessor. The exact timing of the release of certification exams will be by milestone, or by demand. Certification levels 1 and 3 will come first, as early as March or April, and level 5 will come next.

Q2 and Beyond: The CMMC Accreditation Body (CMMC-AB) notes that rule changes are in place, but they won’t be going through the assessments and certifying for a period of time — this is a discrepancy that the industry is waiting to be explained further. The CMMC Program Management Office (PMO), which is the DoD office running the CMMC, will decide who will go for a score first, versus a pilot assessment.

The initial demand is going to be higher than the availability. The goal is to scale the CMMC program quickly once the CMMC professional and assessor programs begin, as several schools will be involved. This scaling can be expected for Spring through Summer of 2021.

Conclusion

Do you still have questions about the basics and background of CMMC, and how it all impacts your organization? You can read more on our CMMC services page, or schedule a one-on-one meeting with a CMMC subject matter expert. For a more proactive solution to address your questions and streamline CMMC preparation, there are options like the Assured Defense Package, designed by SecureStrux to help simplify the process.