Cybersecurity Maturity Model Certification (CMMC) Basics
Cybersecurity Maturity Model Certification (CMMC) Program
CMMC is a comprehensive framework for ensuring that the Defense Industrial Base (DIB) adheres to cybersecurity standards. It is a collaborative effort between the Department of Defense (DoD) and DIB partners to safeguard sensitive unclassified information.
The Role of DFARS
The Defense Federal Acquisition Regulation Supplement (DFARS) plays a crucial role in the cybersecurity of the defense industrial base. It is the vehicle through which the DoD implements and enforces the CMMC requirements.
Transition from CMMC 1.0
The release of CMMC 2.0 in November 2021 marks a significant shift in cybersecurity expectations for defense contractors. With this update, the previous version of the program, CMMC 1.0, is no longer mandatory for compliance. The DoD implemented an interim rule in September 2020, DFARS Case 2019-D041, that phases out CMMC 1.0 over a five-year period, providing companies with time to adapt to the new standards.
Understanding CMMC 2.0
The transition to CMMC 2.0 necessitates defense contractors updating their cybersecurity infrastructure and processes. Such updates may include additional training for staff, implementation of new cyber security technologies and a comprehensive review of current security protocols.
CMMC 2.0 takes a three-pronged approach to cyber security:
Tiered Model: Defense contractors must enforce a tiered system of cybersecurity standards that become progressively more stringent as the sensitivity of information increases; subcontractors are held to these same cybersecurity and information standards as the prime contractors
Assessment Requirement: The DoD can conduct assessments to ensure that defense contractors and subcontractors put clear-cut cybersecurity standards in place to comply with CMMC requirements
CMMC enforcement through Contracts: Some defense contractors with access to sensitive unclassified information will have to provide cybersecurity protect at a specific CMMC level in order to win the contract
Looking Ahead
As the defense industry adjusts to CMMC 2.0, there is a need for clear communication and guidance from the DoD. Contractors looking to the future seek clarity on how the new standards will evolve and what they should prioritize in their preparations.