Cybersecurity Maturity Model Certification (CMMC) is the new unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
This new CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. Roughly 300,000 Department of Defense contractors make up the DIB. These contractors must all be CMMC-certified by September 30, 2025.
On November 4, 2021 the Department of Defense unveiled an update to the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.
As a nation we must protect the supply chain of 300,000 companies globally.
Department of Defense CMMC Model
The DoD created the CMMC model as a cybersecurity standard for the DIB. CMMC assessments initially occurred across five levels of maturity, with level 1 requiring the most basic cybersecurity and level 5 requiring the most advanced.
With CMMC 2.0, the DoD is making changes to the CMMC standards and collapsing the model into three levels, down from the previous five. CMMC 2.0 now becomes the DoD’s methodology for holding its supply chain accountable to the implementation of the FAR 52.204-21 and DFARS 252.204-7012 clauses, which means that it will replace CMMC 1.0. The overarching goal of the model remains the same, however: protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To simplify the assessment process, the CMMC model has been reduced from five tiers to three:
Contractors can begin by identifying which level their organization falls under:
- Level 1 (Foundational) – Nothing has really changed with this level in the newer model. If you handle FCI but not CUI, you fall into a Level 1. These organizations are expected to implement the Federal Acquisition Regulation’s 17 most basic cybersecurity controls. ALL Federal contractors are required to implement these 17 basic safeguards, which focus for instance on physical protection and access control. Although this is the lowest level, implementing these controls is not an overnight process, so contractors should remain diligent when doing so.
- Level 2 (Advanced) – Formerly Level 2/3. If your business is in the manufacturing sector, and/or provides parts and services for weapons, and it is very likely that your small business will fall under this category
- Level 3 (Expert) – Formerly Level 4/5. Large prime contractors and those of us that work on super critical national security programs that are significant targets of nation-state adversaries and any Advanced Persistent Threat (APT) will have to focus on Level 3. These organizations handle CUI, but they also likely handle secret and, potentially, top-secret information.
Compliance with the CMMC
Who must comply with CMMC?
These contractors must all be CMMC-certified by September 30, 2025.