What is CMMC?
- The framework of CMMC is limited to Department of Defense contractors only. Regardless of size, all 300,000+ members of the DIB need to become CMMC-certified, according to the CMMC accreditation body (CMMC-AB), which administers the plan on behalf of the DoD.
- One of the most impactful requirements of the mandate is that the CMMC assessments – based on 5 different levels of security maturity – are performed and certified by an independent third party CMMC assessors, accredited by the CMMC-AB.
- Prior to CMMC, the DoD required all contractors and subcontractors to be NIST SP 800-171 compliant and self-certify on their adherence to these rules. Although the new framework includes these requirements, additional cybersecurity standards will also be baked into the new cybersecurity model, including NIST SP 800-53, ISO 270001 and ISO 27032. Meeting these standards – and being certified by an accredited certification assessor – is a requirement to continue fulfilling or bidding on DoD contracts.
- What are the 5 CMMC levels?
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect Controlled Unclassified Information (CUI)
- Levels 4 & 5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)