Cybersecurity Maturity Model Certification (CMMC)

CMMC’s key objective is to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain. Because you’re likely to handle these information types as a DIB supplier, specific safeguarding requirements are outlined by CMMC to keep them secure. CMMC reviews and combines various cybersecurity standards and best practices, making it a comprehensive verification mechanism for effective security.

In order to win future contracts with the DoD, you must adhere to the specific cyber hygiene level your contract requires. Three levels currently exist, where 1 represents basic hygiene and 3 represents advanced and resilient cyber risk programs. CMMC readiness activities are already underway, where most are in the process of compliance planning for Level 1 cyber hygiene. To conform with Level 1, each Government Contractor known as an Organization Seeking Certification (OSC), must demonstrate conformance with 17 safeguarding controls from the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations” and self-Attest annually. While level 2 DIBs that create, process, store or transmit CUI will have to comply with all 110 controls from NIST SP 800-171 and either self-attest annually or receive a CMMC from a C3PAO. Level 3 DIBS must comply with Level 2 requirements and additionally comply with NIST SP 800-172 requirements.