what is cmmc?

Written By Kaysie Anthony

CMMC = Cybersecurity Model Maturity Certification

CMMC was developed by the United Stated Department of Defense (Office of the Under Secretary of Defense for Acquisition and Sustainment). The goal of this model is to ensure that entities that store or handle Controlled Unclassified Information (CUI) are compliant with the minimal standards. This creates a greater level of protection for CUI and federal contract information. In short, the federal government is taking steps to ensure that contract and CUI holders are not breached, which would leak highly sensitive data. There are currently three levels of CMMC, which you can review here. This model maps to NIST SP 800-171 Rev 2, with a subset of contracts requiring NIST SP 800-172. The level you must subscribe to depends on the type and sensitivity of the data you hold, as well as the potential threat of a data breach.

This is not just a framework for DoD contractors and the Federal government. CMMC is being adopted by commercial accounts for a multitude of reasons. Some are being mandated to adopt CMMC because they offer goods/services to upstream clients who happen to be DoD contractors or Federal entities. In order to meet the requirements of the bid/project, commercial organizations must meet or exceed the CMMC tier of the organization they service. I'm some instances, non-government entities are adopting CMMC because it is a valid framework.

History

In 2016 DRARS 7012 clause was adopted, which required contract holders to self-assess meeting or exceeding the security requirements of NIST-SP-800-171.

In 2019, the DoD announced the creation of CMMC. This transitioned away from a self-assessment model to requiring third-party assessments. It should also be noted that a number of supply chain breaches occurred during this time frame, which resulted in the DoD working alongside the industry to create CMMC.

An interim rule allowing CMMC to be included in procurement contracts went into effect in November 2020.

CMMC 2.0 was released in November 2021.

CMMC has been met with criticism. This stems from the rapid timeline in which entities must rush to meet these requirements. The DoD has also been criticized because of the expense related to migrating towards compliance. In short, it's time consuming and expensive to do security right. Concerns have also been raised due to the lack of accredited auditors.

Who does this apply to?

Today CMMC applies to DoD contractors. If you see these framework make its way into commercial industry, it is likely because that organization is a subcontractor and compliance is a requirement for a contract. If you are a DoD contractor, you already know you must be CMMC compliant. If you work for a DoD contractor and this is the first you've heard of CMMC, you should update your resume now.

If you are a subcontractor to the DoD and its contractors, you are likely a candidate for CMMC. I recommend exploring this requirement now, so you have time to meet these requirements. Please note, CMMC is a comprehensive model that requires time, planning and budgeting.

If you have questions about CMMC or you would like to discuss steps your organization can take to adopt this framework, please give me a shout. This journey can feel overwhelming, but you're not alone.

Y'all be good,

DB

Kaysie Anthony
Previous

what is an availability zone?
Next

what is ucaas?