What is CMMC?
In 2019 the Department of Defense (DoD) announced the creation of the Cybersecurity Maturity Model Certification (CMMC) program to govern the Defense Industrial Base (DIB). CMMC relies on self-assessments and requires Third-Party Assessment Organizations (C3PAO) to certify a company’s compliance.
CMMC builds from DFARS/NIST 800-171 (earlier cyber protocols) but also includes controls from other cybersecurity frameworks. Where CMMC differs is in the maturity model, the required certification of participants, and the added role of third-party assessors. The Maturity Model essentially expresses a framework of added protocols for increasingly sensitive information.
On November 4, 2021 the Department of Defense unveiled an update to the Cybersecurity Maturity Model Certification framework – CMMC 2.0 – to streamline compliance, increase flexibility, and lower the cost for manufacturers and IT providers within the DIB. Essentially, the Maturity Levels were consolidated from five (5) to just three (3) levels. CMMC 2.0 supersedes 1.0 and allows Level 1 and some Level 2 companies to self-assess and forgo the cost of third-party assessments.