What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) for dummies!
Cybersecurity Maturity Model Certification (CMMC) for dummies!
Here at StartProto, we acknowledge the importance of Cybersecurity Maturity Model Certification (CMMC) and CMMC compliance to mitigate threats to sensitive data.
As a cloud-based software company that serves the manufacturing industry, we want all of our people to be able to explain CMMC and the recent changes that have been taking place.
What does cmmc stand for? CMMC stands for Cybersecurity Maturity Model Certification, a framework developed by the DoD to ensure that its contractors and suppliers meet specific cybersecurity standards.
The CMMC program is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors, government contractors, or defense contractors.
It is a unifying standard and new certification model to ensure that DoD contractors are properly protecting sensitive defense information.
The framework and CMMC requirements include a set of cybersecurity controls and processes that contractors and suppliers must implement to achieve CMMC compliance and certification.
The DoD has implemented this framework of basic safeguarding requirements to improve the overall security posture of its supply chain, as it has become increasingly clear that cyber advanced persistent threats pose a significant risk to national security.
Under CMMC, contractors and suppliers will be required to undergo an assessment by a third-party assessor to determine their cybersecurity processes' maturity level in order to migitage threats.
There are five levels to achieve compliance certification, ranging from basic cyber hygiene to advanced cybersecurity practices.
The level of CMMC certification levels and CMMC level required will depend on the sensitivity of the information being handled by the contractor or supplier.
The Cybersecurity Maturity Model Certification (CMMC) program was introduced by the Department of Defense (DoD) to improve supply chain security in the defense industrial base (DIB). Initially, there were five CMMC certification levels, but the CMMC 2.0 program has streamlined the requirements to three levels based on well-established NIST cybersecurity standards .
The previous five levels of CMMC certification were as follows:
It is important to note that the CMMC 2.0 program, which is the next iteration of the Department’s CMMC cybersecurity model, has replaced the five cybersecurity compliance levels with three levels based on the NIST cybersecurity standards .
As we now know, CMMC stands for Cybersecurity Maturity Model Certification, and the CMMC framework includes a set of controls and processes that contractors and suppliers must implement to achieve certification.
These controls cover areas such as access control, incident response, and system and information integrity.
The goal of the framework is to ensure that all contractors and suppliers in the DoD supply chain are meeting a consistent set of cybersecurity standards.
The implementation of CMMC is a significant change for DoD contractors and suppliers. Previously, self-certification was the norm, and many contractors and suppliers did not have the necessary cybersecurity practices in place.
With the implementation of CMMC, all contractors and suppliers will need to demonstrate that they are meeting specific cybersecurity standards to continue doing business with the DoD.
Implementing CMMC is a significant change for DoD contractors and suppliers, but it is a necessary step to improve the overall security posture of the DoD supply chain.
For a long time, the government has been trying to protect itself from any risk it could take while acquiring materials or services.
The Department of Defense initially used standards like the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) to regulate government acquisitions.
The clauses included in FAR and DFARS acted as guidelines for both vendors and the government.
These guidelines acted as security controls for businesses and our government to protect what the United States calls Controlled Unclassified Information or CUI.
In short, CUI is information that any party generates during a DoD or government transaction that may retain critical information about that product or service.
Even though CUI is not classified, even small details about a component used on a product could ultimately expose a weakness or proprietary information.
Why the CMMC Model Has Been Implemented
The problem the government found with DFARS and FAR was that there was no certifying body, leaving the system to be dependent on trust.
Without the monitoring and audits that come with certification programs, many contracts that may have been written to comply with DFARS and FAR are no longer being closely followed, exposing our country's CUI to adversaries.
The solution to this problem is now the Cybersecurity Maturity Model Certification (CMMC), or CMMC model.
CMMC encompasses cybersecurity and information security clauses from both DFARS and FAR and outlines a new framework incorporating a certification process into DFARS.
Similar to DFARS, the purpose of CMMC is to enhance the protection of controlled unclassified information (CUI) and Federal Contract Information (FCI) within the DoD supply chain.
The CMMC outlines different levels at which an organization can be audited, the higher the level, the more complex the security practices will need to be.
These CMMC levels can only be approved by a third-party assessor (no more self-assessments).
CMMC will protect the government's FCI and CUI in today's digital world.
Defining CMMC has been a sensitive and evolving process.
There are a few things that are absolutely true, there will be a requirement for CMMC compliance for all Defense Industrial Base members and Defense Supply Chain members.
As of today, the government would like to see an implementation deadline date for the fiscal year of 2026 (aka October 1st, 2025).
Considering the sheer number of companies that will need to get compliant, assessed, and then audited, some challenges will be involved with getting there.
The DoD is insistent that they will meet these deadlines.
We are waiting to see when the finalization of CMMC rules will take place, CMMC 2.0 is the current step we are on.
Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements.
The final publication of requirements has the industry is waiting for the U.S. Department of Defense to finalize the newest version of CMMC 2.0.
We are expecting these 2.0 requirements to be available in 2023.
For more on the changes, visit https://www.acq.osd.mil/cmmc/index.html.