What is CMMC?

Cybersecurity Maturity Model Certification Explained

“The theft of intellectual property and sensitive information undermines our nation’s defense posture and economy. Global costs last year are estimated at $600 billion, with an average cost per American of $4,000. It is time for action.” CMMC-AB

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the most recent cybersecurity framework from the Department of Defense (DoD) designed to protect the U.S. defense supply chain from foreign and domestic cyberthreats and reduce the overall security risk of the defense sector.

The purpose of CMMC is to provide increased assurance to the DoD that DIB (Defense Industry Base) companies can adequately protect sensitive unclassified information throughout the multi-tier supply chain.

The Evolution of CMMC

The CMMC framework is built upon the existing Defense Acquisition Federal Regulation Supplement (DFARS 252.204-7012) published as a final rule on October 21, 2016. DFARS mandates that DoD Contractors provide adequate security to safeguard covered defense information and adopt cybersecurity standards based on the NIST SP 800-171 cybersecurity framework.

Third-party assessment and certification of DFARS is not required but numerous special publications, including The NIST MEP Cybersecurity Self-Assessment Handbook, were provided to help DIB partners understand and attain compliance.

Due to the slow adoption rate and lack of enforcement of DFARS, the DoD created the CMMC framework which includes standardized best practices from numerous cybersecurity standards including the Federal Information Processing Standards (FIPS) 200, NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others.

How is CMMC different from NIST SP 800-171 & DFARS?

Third-party verification & certification

Unlike previous self-assessed frameworks such as the NIST SP 800-171, the CMMC framework includes a ‘verification component’ to ensure appropriate levels of cybersecurity controls, and processes are adequate to reduce risks and protect controlled unclassified information (CUI) throughout the entire Defense Industrial Base (DIB) supply chain.

Assessments for CMMC certification will be conducted by independent, Third Party Assessment Organizations (C3PAOs) authorized by the CMMC-AB, the accreditation body for CMMC.

Certification for a range of cybersecurity controls, processes & practices

Additionally, unlike NIST SP 800-171, the CMMC model possesses five levels of cumulative certification. These five levels represent progressive maturity levels of cybersecurity practices and processes. The maturity levels range from basic cyber hygiene to advanced to make CMMC compliance cost-effective and affordable for small businesses to implement at the lower CMMC levels.

Read more about CMMC Maturity Levels & Domains.

What organizations are included in CMMC mandates?

Third-party verification & certification

Unlike previous self-assessed frameworks such as the NIST SP 800-171, the Cybersecurity Maturity Model Framework includes a ‘verification component’ to ensure appropriate levels of cybersecurity controls and processes are adequate to reduce risks and protect controlled unclassified information (CUI) throughout the entire supply chain.

CMMC includes all DoD suppliers at all tiers. If you supply any product that makes its way into the Department of Defense procurement supply chain, CMMC applies to you. From manufacturers to wholesalers to distributors. From chemical components to raw materials to technology.

To bid on future contracts and participate in RFPs & RFIs, all suppliers at some point will require CMMC certification at some level. According to information published by the Department of Defense, “the required CMMC level for a specific contract will be contained in the RFP sections L&M, and will be a go/no-go decision.” While a deadline for CMMC certification has not been finalized, the DoD has stated that pre-CMMMC contracts are being retired and migrated to CMMC contracts by 2026.

No more check-box compliance — CMMC is here.

Are you ready?

If you have questions about how CMMC will impact your organization, or not sure where to begin, we can help!

Schedule your free, no-obligation pre-audit CMMC Planning Session today.

  • No-cost, no-obligation
  • Independent, certified auditor
  • Find out how CMMC will impact your organization
  • Gain insight, lose the confusion
Start Here

Worry-Free CMMC | Compliance Remediation | GlacisTech | Dallas TXReady to get compliant and stay compliant?

GlacisTech’s 4-Step Worry-Free CMMC program is the answer.

Find Out More
 
 

Don't wait for the CMMC audit to find your vulnerabilities.

Be ready for the CMMC assessment and keep your ability to bid on government contracts.