What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to help measure the cybersecurity maturity level of contractors across the defense industrial base (DIB), which includes over 300,000 companies. The CMMC is the DoD’s response to significant increase in compromises of sensitive data located on contractors’ information systems.
When did it go into effect?
September 2020. Many companies have already been required to meet certain requirements outlined by the DoD to meet CMMC requirements. The expectation is that CMMC will be a requirement of all new DoD requests for proposals beginning in 2026.
What companies are included?
The certification is applicable to contractors who work directly with DoD, and to subcontractors who contract with primary contractors to provide fulfilment and execution of those contracts.
As mentioned above, all contracts with the DoD will include CMMC requirements by 2026. It is worth noting that the DoD has indicated they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification.
What are the levels of CMMC?
The levels of CMMC can be directly related to the security maturity of organizations. They are accumulative meaning, as organizations implement stronger controls, they can achieve a higher level. The level of maturity may be a differentiator for retaining or gaining new contracts with the DoD
- CMMC level 1: Preformed – Creation requirements. Processes are informal
- CMMC level 2: Documented meaning a security program exists, is documented, and understood throughout the organization.
- CMMC level 3: Managed. Tools and processes are in place, consistent and followed by all within the organization
- CMMC levels 4: Reviewed. Tools and processes are reviewed periodically and updates as opportunities are identified from review.
- CMMC level 5: Continuous improvement throughout the organization. Organization has implemented all requirements.
What is included in the review?
The CMMC includes the following cybersecurity domains, all of which need to have at least Basic Cybersecurity milestones to be CMMC compliant:
- Access control
- Asset Management
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident Response
- Maintenance
- Media protection
- Physical protection
- Personnel security
- Recovery
- Risk management
- Security assessment
- Situational awareness
- System and communications protection
- System and information integrity
Still have questions?
CIT is a Registered Provider Organization (RPO). RPO’s are the “implementors” and consulting organizations that help companies achieve the various levels of certification.