What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a major Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber attacks. It particularly aims to enhance the protection of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB.

Who is subject to CMMC?

All DoD prime- and sub-contractors planning to bid on future contracts with the CMMC DFARS clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.

CMMC MATURITY LEVELS

The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.

• Level 1 - Foundational. An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."

• Level 2 - Advanced. An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes

• Level 3 - Expert. An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.