This post will be about what all these acronyms mean, how they are all related to each other and the purpose they serve. Let’s begin with a few definitions:
- CMMC 2.0 – Cybersecurity Maturity Model Certification: A set of cybersecurity best practices and assessments mandated by the US federal government.
- NIST 800-171: A NIST special publication titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. It gives guidance to commercial entities that are handling data on behalf of the US federal government.
- FIPS 140-3: federal Information Processing Standard 140-3; a NIST standard and certification regime that specifies requirements for cryptographic modules.
- CUI: Controlled Unclassified Information; sensitive information used by the US federal government but is not considered classified. Examples include personal identification information such as social security numbers, medical records and tax records.
- FCI: Federal Contract Information; non-public data generated by or for the US federal government under contract and protected under confidentiality guarantees. Examples include statements of work and internal process documentation.
- DIB: Defence Industrial Base; the collection of commercial entities that works together with the US federal government to perform research and development of defense technologies and systems to strengthen national security.
CMMC 2.0 is a model designed to use the guidance in NIST 800-171 to get DIB entities to enact a set of practices and assessments that achieve standard levels of cybersecurity maturity. This model and these practices apply to CUI and FCI when at rest and during transmission. The cryptographic modules used as part of these practices to protect the CUI and FCI are certified under the FIPS 140-3 program.
It is important to note that the CMMC 2.0 model includes assessments, audits and certifications that are done both internally by an entity as well as by independent 3rd party auditors and labs. For example, cryptographic modules are certified by NIST’s CMVP (Cryptographic Module Validation Program) under FIPS 140-3.
Do you have CMMC 2.0 requirements? Were you confused about CMMC 2.0 before reading this post? Feeling better? Good!
Here at wolfSSL, we want you to understand that if CMMC 2.0 applies to you, we can help you with your FIPS 140-3 requirements. Our wolfCrypt library is already certified under FIPS 140-3 with a 5-year validity window. Send a message to facts@wolfssl.com or fips@wolfssl.com to find out how we can help.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now