标准简介
网络安全成熟度模型认证(CMMC)2.0 是美国国防部(DoD)制定的网络安全评估框架,于 2024 年 12 月最终确定规则。该框架要求国防工业基地(DIB)的承包商和分包商达到特定的网络安全成熟度水平,以保护联邦合同信息(FCI)和受控非密信息(CUI)。CMMC 2.0 简化为三个级别:第一级(基础级,17 项实践的自我评估)、第二级(高级,110 项与 NIST SP 800-171 对齐的实践)和第三级(专家级,基于 NIST SP 800-172 的额外要求)。
CMMC 2.0 规则将分阶段在国防部合同中实施,预计从 2025 年中期开始。第二级认证需要由 CMMC 第三方评估组织(C3PAOs)进行独立评估,而第三级则需要由国防部进行评估。不满足合同要求的 CMMC 级别可能导致失去竞标资格或现有合同被终止。该框架影响约 22 万家国防承包商,涵盖从大型国防承包商到小型零部件供应商。实施 CMMC 的关键挑战包括定义 CUI 的边界、满足所有安全控制要求、建立计划行动和里程碑(POA&M)以及维持持续合规。
Three Maturity Levels
Streamlined from five to three levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned with NIST SP 800-171), and Level 3 (Expert, NIST SP 800-172 controls).
Third-Party Assessment
Level 2 requires assessment by Certified Third-Party Assessment Organizations (C3PAOs), while Level 1 allows annual self-assessment. Level 3 requires government-led assessment.
CUI Protection
Specifically designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base supply chain.
list_alt CMMC Domains
- Access Control — limit system access to authorized users
- Identification & Authentication — verify user identities
- Media Protection — protect CUI on digital and physical media
- Physical Protection — limit physical access to systems
- System & Communications Protection — monitor and protect communications
- System & Information Integrity — identify and manage flaws
- Incident Response — establish operational incident handling
- Risk Assessment — identify and evaluate risk to CUI
Who Needs to Comply?
All contractors and subcontractors in the U.S. Defense Industrial Base (DIB) who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts.
Key Requirements
Self-Assessment (Level 1)
Complete an annual self-assessment against 17 basic safeguarding requirements from FAR 52.204-21. Affirm compliance through the Supplier Performance Risk System (SPRS).
NIST SP 800-171 Compliance (Level 2)
Implement all 110 security requirements from NIST SP 800-171 Rev 2. Submit to assessment by a C3PAO and achieve a passing score. Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Plans of Action & Milestones
Document any unmet requirements with specific remediation plans, responsible parties, and target completion dates. POA&Ms must be resolved within 180 days of assessment.
Continuous Compliance Affirmation
Senior officials must annually affirm their organization's continued compliance status in SPRS. Certification is valid for three years with annual affirmation required.
Penalties & Enforcement
Contractors that fail to meet required CMMC levels are ineligible for DoD contract awards. False compliance claims expose contractors to liability under the False Claims Act, with penalties of up to three times the government's damages plus per-claim penalties.