The CMMC Model
The CMMC encompasses multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”
The CMMC model combines various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measurse the maturity of a company’s institutionalization of cybersecurity practices and processes.
What the CMMC Means for DoD Contractors
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD had entrusted DoD contractors to achieve compliance, and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD has updated its policies.
So what does this mean for DoD Contractors?
It means that all DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. Eventually, this will be a requirement for any organization who wants to hold contracts with the Department of Defense or work as subcontractors on DoD related projects. For more information on the appropriate levels of cyber security, see “About CMMC Levels” below.