The U.S. Department of Defense released the first version of the Cybersecurity Maturity Model Certification (CMMC) back on January 31, 2020. Since that time, there has been a flurry of different industry experts working towards helping clients understand and prepare for getting certified under CMMC. But what is it?

The Cybersecurity Maturity Model Certification (CMMC)

If you are familiar with NIST 800-171, then you are ahead of the curve. NIST 800-171 was created to allow companies that had contracts with the Department of Defense to show they were protecting Controlled Unclassified Information (CUI). This included personal and confidential data that resided on non-federal systems that are being operated on behalf of a federal agency. Initially, contractors were allowed to self-certify that they met the NIST 800-171 requirements. CMMC version 1 seeks to change that by requiring a third-party assessment of the contractor’s compliance with CMMC and by mandating that the contractor demonstrate their capability to adapt to evolving cyber threats against CUI.

DevOps Connect:DevSecOps @ RSAC 2022

This new CMMC requirement will affect over 300,000 different companies from large system integrators to simple mom-and-pop shops that might provide cleaning services. Does this mean that each contractor will be required to meet the same standards? No, there will be five tiers based upon function that different contractors will have to meet. Each tier increases the requirements, so a contractor at Tier 2 would have to meet Tier 1 & 2 requirements, while a company at Tier five would have to meet all the requirements for Tier 1-5. Each tier establishes a different level of cybersecurity maturity.

The 5 Levels of CMMC

  • Level 1 covers the basic safeguarding of contractor information systems as listed in FAR Clause 52.204.21. It provides for things such as limiting systems to authorized users only, limiting to certain (Read more...)