It’s hard to believe it has been ten years since the Department of Defense issued guidance on how to protect sensitive defense data. Since then, there have been many twists and turns, challenging how to best protect data and keep it safe from adversaries. Nonetheless, it is clear the U.S. benefits from a more secure defense base.
Looking back in time, in 2015 National Institute of Science and Technology (NIST) published the Special Publication (SP) 800-171. This publication established security controls for protecting Controlled Unclassified Information (CUI). In turn, the U.S. Department of Defense (DoD) issued the regulation Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This required the implementation of NIST SP 800-171 and created reporting requirements around data breaches.
In 2020, the Cybersecurity Maturity Model Certification (CMMC) was established by DoD to further enhance cybersecurity standards for defense contractors and subcontractors. CMMC ensures organizations properly protect sensitive information, including CUI and Federal Contract Information (FCI).
Each of these moments in history signal not only to the importance of protecting data, but also having strict guidelines and regulations in place to dictate how contractors and subcontractors should handle government data. Without the creation of guidelines, trade secrets and mission-critical information could be at risk.
An ever-evolving threat landscape
Although it’s been 10 years since these measures were put in place, many people still do not know the extent of threats faced by the Defense Industrial Base (DIB). This is largely due to the confidential nature of incident reporting, but just because we may not hear about it, doesn’t mean it isn’t happening.
Katie Arrington, PTDO CIO was quoted in AFCEA Signal Magazine saying, “Nation-state attacks are something that we’re feeling every day, and we lose on average about $200-$250 million a day in the DIB, the defense industrial base, due to data loss, ransomware, IP theft, etc.”
(https://www.afcea.org/signal-media/cyber-edge/katie-arrington-change-good-and-change-coming)
It’s clear that even with stringent protocols in place, hackers still try to find a way to access our nation’s most critical information. As attackers evolve and continue to attempt to access sensitive defense data, we evolve, too.
Making changes: How the revised CMMC addresses growing challenges
In November 2021, the Department of Defense announced the revised CMMC Program, which included an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Enforce DIB cybersecurity standards to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Perpetuate a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
The revised CMMC Program has three key features. It established a Tiered Model, an Assessment Requirement, and Phased Adoption. These features enhanced the way data is protected across the DIB.
CMMC Levels
To better enforce the protection of unclassified data, the CMMC established levels that companies processing FCI and CUI must follow. This requires partners and providers of the DIB to implement cybersecurity standards at progressively advanced levels in accordance with FAR 52.204-21, NIST SP 800 – 171r2, and NIST SP 800 – 172. The respective CMMC levels are 1, 2, and 3.
| Level | Requirements |
|---|---|
| Level One: Basic safeguarding of FCI | Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21. |
| Level Two: Broad Protection of CUI | Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2. Annual affirmations are submitted in the Supplier Performance Risk System. |
| Level Three: Higher-Level Protection of CUI Against Advanced Persistent Threats | Achieve CMMC Status of Final Level 2.Undergo an assessment every three years by the Defense Contract Management Agency’s DIB Cybersecurity Assessment Center (DIBCAC).Provide an annual affirmation verifying compliance with the additional 24 identified requirements from NIST SP 800-172. |
This model is designed to protect FCI and CUI shared with defense contractors and subcontractors during contract performance. This ensures all parties handling sensitive data are held accountable, and each party understands the precautions in place in order to keep data safe.
The two types of CUI: Specified and Basic
Whenever the DoD provides information to contractors, it must identify whether the information is CUI via the contracting vehicle and subsequently mark all information within documents, material, or media provided to the contractor.
It is possible for non-DoD organizations to generate CUI. For example, architectures and configurations of FedRAMP authorized cloud environments developed by commercial Cloud Service Providers (CSPs) may be considered CUI.
Whenever the DoD provides CUI to, or CUI is generated by non-DoD entities, protective measures and dissemination controls must be implemented per DoD Instruction 5200.48 Controlled Unclassified Information.
Overall, there are two types of CUI data: specific and basic.
 |  |
| CUI Specified This is the subset of CUI in which the authorizing law, regulation, or government-wide policy contains specific handling controls that it requires agencies to use that differ from those for CUI Basic. CUI Specified controls are more stringent than those required by CUI Basic. The distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. | CUI Basic These controls do not provide specific guidance. Those CMMC controls still apply but working information like a host name from a FedRAMP authorized cloud environment may transit in internal ticketing or email systems with less specific guidance while still protected with technical controls. |
This standard baseline on how to define varying types of CUI allows government and defense entities to apply additional safeguards around their data when necessary. It also allows contractors to understand the sensitivity of the data they are handling.
How the CMMC has transformed
In the past decade, the CMMC has evolved significantly to address the growing complexity of cyberthreats and create stronger safeguards across the DIB. What was once a framework to promote basic cybersecurity hygiene has now turned into a dynamic, adaptive model that supports federal requirements.
The CMMC program has created a working model that streamlines compliance while always falling back on the rigorous standards that are needed to protect CUI. As our threat landscape evolves, the growth of the CMMC reflects a broader commitment by the DoD to secure sensitive defense data, enhance accountability, and build a resilient security posture for our nation.
