CMMC is a standard for implementing cybersecurity. Its framework includes a certification element to confirm processes and practices are in place at your organization. The intention is to protect sensitive unclassified information in the supply chain. All organizations that conduct business with the Department of Defense (DoD) will soon be required to be CMMC certified. For the 220,000 DoD contractors and sub-contractors, this is critical news.
When the Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy. Most found themselves drowning in all the unnecessary noise surrounding CMMC and its larger implications on existing and future government contracts.
The CMMC model has 5 maturity levels, and only level 1 will be required to start. CMMC level 1 has 17 requirements which were directly lifted from NIST 800-171. Future DoD contracts will define what CMMC level is required and may require higher maturity levels over time.
The initial implementation of the CMMC will only be within the DoD, and not necessarily for all the Federal non-DoD contracts. However, the DoD is rolling out this requirement in a phased approach until all contracts require certification on September 30, 2025. In this first year of the rollout, only 15 contracts will have this requirement.
Many other organizations across all industries are looking to CMMC as a benchmark for compliance. For example, CMMC and FedRAMP share a common security model. FedRAMP (Federal Risk and Authorization Management Program) is an extensive process requiring a third-party audit to assess the security of Cloud solutions and services used by the U.S. federal agencies.