What It Is
The Cybersecurity Maturity Model Certification (CMMC) is a unified security standard for establishing strong cybersecurity infrastructure and practices across the Defense Industrial Base (DIB). This updated set of requirements builds on and improves the currently existing NIST standards to effectively address cybersecurity vulnerabilities across the 300,000+ organizations in the DIB.
The DoD first released the CMMC standards in January 2020, following up in September of the same year with a self-assessment requirement for all current or potential government contractors, due November 30th, 2020. These announcements were the beginning of a five-year CMMC rollout, culminating in the final deadline of October 1st, 2025. After that date, all DoD contractors must meet CMMC requirements.
While this may seem like a far-off deadline, cybersecurity improvements can take time and money, and the November self-assessment deadline shows that there may be other required milestones to hit well before 2025.
On Nov. 4, 2021, the Department of Defense announced the enhanced CMMC 2.0 with “the goal of safeguarding sensitive information while:
- Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
- Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
- Increasing Department oversight of professional and ethical standards in the assessment ecosystem.”
Five Levels of Compliance
The CMMC has five levels from Basic Cybersecurity Hygiene all the way up to Advanced/Progressive cybersecurity strategies. Depending on the company and the contract in question, contractors will need to comply at the relevant cybersecurity level for the work they’re doing. Learn more about these levels by downloading the 6 Steps to CMMC Readiness guide below.
Note: Although this section lists the five levels from Basic to Advance, it does not mention the levels for CMMC 2.0 which are; Level 1 (same as CMMC 1.0 Level 1), Level 2 (CMMC 1.0 Level 3), and Level 3 ( CMMC 1.0 level 5). Click here to learn more.
The CMMC evaluates the following cybersecurity domains, all of which need to have at least Basic Cybersecurity Hygiene to be CMMC compliant::
- Access control
- Asset Management
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident Response
- Media protection
- Physical protection
- Personnel security
- Risk management
- Security assessment
- Situational awareness
- System and communications protection
- System and information integrity
What Should I Do Now?
All DoD contractors, including small businesses, commercial item contractors, foreign suppliers, educational entities, and anyone interested in doing business with the DoD will need to assess their compliance ASAP.
In today’s world and especially when working with sensitive DoD-related information, cybersecurity is non-negotiable. Businesses must immediately begin the process of improving their cyber infrastructure and complying with the CMMC requirements so they’re not left behind in coming years.
TCecure Offers CMMC Compliance Services
TCecure offers a free guide: CMMC: What You Need to Know that includes 6 Steps to CMMC Readiness! If you follow these steps, your business will be in the right position to meet CMMC’s requirements and comply with possible additional deadlines. Sign up below to receive this free essential CMMC guide!
In addition, the TCecurity Compliance Manager (TCM) ensures our clients can perform self assessments, manage compliance, and improve long-term cybersecurity. This tool is customized for the client’s budget so your organization gets the help it needs. Learn more here.
This post was updated 11/9/22.
Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC
CSO: The Cybersecurity Maturity Model Certification Explained
Cential: CMMC: What is it and what does it mean for your business?