What is CMMC?

The Cybersecurity Maturity Model Certification Explained

The Cybersecurity Maturity Model Certification (CMMC) is a program mandated by the Department of Defense (DoD) to verify the cybersecurity of its supply chain. All contractors and sub-contractors in the DoD’s supply chain, except for commercial-off-the-shelf product providers, will have to meet specific compliance requirements.  Some will need a certification, whereas some will need to provide self-attestation.

The Defense Industrial Base (DIB) is often the target of complex cyberattacks. Protecting intellectual property and national security has become a point of extreme focus for the DoD. Maintaining this security throughout not only the primary DoD contracts but also all the way down the supply chain is why CMMC has become a necessary step.

 

CMMC Model 2.0, which was announced in November of 2021, was designed to achieve these primary goals:

  • Safeguard sensitive information to enable and protect the warfighter.
  • Enforce DIB cybersecurity standards to meet evolving threats.
  • Ensure accountability while minimizing barriers to compliance with DoD requirements.
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience.
  • Maintain public trust though high professional and ethical standards.

 

Who must obtain CMMC?

The type of data you handle in your contracts determines the level of certification you need. If you deal with Controlled Unclassified Information (CUI), certification is necessary. For Federal Contract Information (FCI), self-attestation suffices. The certification level depends on the data you handle. If you’re already compliant with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC) serves as the verification process for your compliance, offering different levels of certification based on your cybersecurity maturity. However, if you only sell Commercial off the Shelf (COTS) products to the Department of Defense (DoD) without dealing with FCI or CUI, CMMC certification isn’t needed.

 

How do you achieve certification?

The DoD has streamlined certification to a three-tiered model. Level one will require an annual self-assessment and an annual affirmation, level two will require triennial third-party assessments for critical national security information and for select programs an annual self-assessment. Finally, level three will require triennial government-led assessments. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Stay a while. We have plenty to read.
Protecting Your Site: Construction Cybersecurity

Protecting Your Site: Construction Cybersecurity

The construction industry is no stranger to challenges. From project delays to budget overruns, professionals in this field are adept at navigating obstacles. Yet, there's a growing threat that many are still grappling with: cybersecurity. Having a working of ...

read more
SharePoint Workflow That Works For You

SharePoint Workflow That Works For You

5 Reasons Why A SharePoint Workflow Your SharePoint workflow can make or break your efficiency. If you're a business leader, you're always trying to improve your digital operations and make your processes more efficient. Cloud storage has become the norm in today’s...

read more
Manufacturing Cybersecurity in 2024

Manufacturing Cybersecurity in 2024

How Important Is Manufacturing Cybersecurity? Manufacturing cybersecurity is one of the major concerns for business leaders across the world. In today's fast-paced world, where technology is changing how we make things, keeping your manufacturing business safe from...

read more
Defense Contractors, Sub-Contractors and CMMC Compliance

Defense Contractors, Sub-Contractors and CMMC Compliance

  Cybersecurity has become a top priority for governments, businesses, and individuals alike. New cyber-attacks are launched daily across all sectors, public and private. Cybersecurity has become a necessity for defense contractors, tasked with handling sensitive...

read more