clock icon
3
min read

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) for dummies!

Here at StartProto, we acknowledge the importance of Cybersecurity Maturity Model Certification (CMMC). As a cloud-based software company that serves the manufacturing industry, we want all of our people able to explain CMMC and the recent changes that have been taking place.

For a long time, the government has been trying to protect itself from any risk it could take while acquiring materials or services. Initially, the Department of Defense used standards like the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) to regulate government acquisitions. The clauses included in FAR and DFARS acted as guidelines for both vendors and the government. These guidelines acted as security controls for businesses and our government to protect what the United States calls Controlled Unclassified Information or CUI. In short, CUI is information that is generated by any party during a DoD or government transaction that may retain critical information about that product or service. Even though CUI is not classified, even small details about a component used on a product could ultimately expose a weakness or proprietary information.

The problem the government found with DFARS and FAR was that there was no certifying body, leaving the system to be dependent on trust. Without the monitoring and audits that come with certification programs, many contracts that may have been written to comply with DFARS and FAR are no longer being closely followed, exposing our country's CUI to adversaries. The solution to this problem is now the Cybersecurity Maturity Model Certification (CMMC). CMMC encompasses cybersecurity and information security clauses from both DFARS and FAR and outlines a new framework that incorporates a certification process into DFARS. Similar to DFARS, the purpose of CMMC is to enhance the protection of CUI and Federal Contract Information (FCI) within the DoD supply chain.

The CMMC outlines different levels at which an organization can be audited, the higher the level, the more complex the security practices will need to be. These CMMC levels are only allowed to be approved by a third-party assessor (no more self-assessments). CMMC will be vital to protecting the government's FCI and CUI in today's digital world.

LEVELS OF CMMC 2.0

Defining CMMC has been a sensitive and evolving process. There are a few things that are absolutely true, there will be a requirement for CMMC compliance for all Defense Industrial Base members and Defense Supply Chain members. As of today, the government would like to see an implementation deadline date for the fiscal year of 2026 (aka October 1st, 2025). Considering the sheer number of companies that will need to get compliant, assessed, and then audited, there are some challenges that will be involved with getting there. The DoD is insistent that they will meet these deadlines. We are waiting to see when the finalization of CMMC rules will take place, CMMC 2.0 is the current step we are on. Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements. The final publication of requirements has the industry is waiting for the U.S. Department of Defense to finalize the newest version of CMMC 2.0. We are expecting these 2.0 requirements to be available in 2023. 

For more on the changes, visit https://www.acq.osd.mil/cmmc/index.html.

Greg Finnegan

Business Development