What is CMMC?
The Cybersecurity Maturity Model Certification Explained
The Cybersecurity Maturity Model Certification (CMMC) is a program mandated by the Department of Defense (DoD) to verify the cybersecurity of its supply chain. All contractors and sub-contractors in the DoD’s supply chain, except for commercial-off-the-shelf product providers, will have to meet specific compliance requirements. Some will need a certification, whereas some will need to provide self-attestation.
The Defense Industrial Base (DIB) is often the target of complex cyberattacks. Protecting intellectual property and national security has become a point of extreme focus for the DoD. Maintaining this security throughout not only the primary DoD contracts but also all the way down the supply chain is why CMMC has become a necessary step.
CMMC Model 2.0, which was announced in November of 2021, was designed to achieve these primary goals:
- Safeguard sensitive information to enable and protect the warfighter.
- Enforce DIB cybersecurity standards to meet evolving threats.
- Ensure accountability while minimizing barriers to compliance with DoD requirements.
- Perpetuate a collaborative culture of cybersecurity and cyber resilience.
- Maintain public trust though high professional and ethical standards.
Who must obtain CMMC?
The type of data you handle in your contracts determines the level of certification you need. If you deal with Controlled Unclassified Information (CUI), certification is necessary. For Federal Contract Information (FCI), self-attestation suffices. The certification level depends on the data you handle. If you’re already compliant with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC) serves as the verification process for your compliance, offering different levels of certification based on your cybersecurity maturity. However, if you only sell Commercial off the Shelf (COTS) products to the Department of Defense (DoD) without dealing with FCI or CUI, CMMC certification isn’t needed.
How do you achieve certification?
The DoD has streamlined certification to a three-tiered model. Level one will require an annual self-assessment and an annual affirmation, level two will require triennial third-party assessments for critical national security information and for select programs an annual self-assessment. Finally, level three will require triennial government-led assessments. CMMC 2.0 will become a contract requirement once rulemaking is completed.
Further CMMC 2.0 Reading
Stay a while. We have plenty to read.
Manufacturing Cybersecurity in 2024
How Important Is Manufacturing Cybersecurity? Manufacturing cybersecurity is one of the major concerns for business leaders across the world. In today's fast-paced world, where technology is changing how we make things, keeping your manufacturing business safe from...
Defense Contractors, Sub-Contractors and CMMC Compliance
Cybersecurity has become a top priority for governments, businesses, and individuals alike. New cyber-attacks are launched daily across all sectors, public and private. Cybersecurity has become a necessity for defense contractors, tasked with handling sensitive...
CUI- Controlled Unclassified Information and CMMC
Understanding CUI: A Vital Component of Information Security The Department of Defense (DoD) defines CUI as “Government-created or owned Unclassified information that allows for, or requires, safeguarding and dissemination controls in accordance with laws,...
Department of Defense and CMMC
The Department of Defense (DoD) and CMMC Digital vulnerabilities have made robust cybersecurity measures indispensable, especially within sectors handling sensitive information critical to national security. Recognizing this imperative, the Department of Defense (DoD)...
Recent Comments