CMMC Overview

From Cooey Wiki

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance cybersecurity practices across the Defense Industrial Base (DIB). It applies to any organization within the supply chain (receiving specific DFARS flow-down) that works on contracts with the Department of Defense (DoD), ensuring these companies can safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

In November 2021, in response to industry feedback, CMMC 2.0 was introduced to simplify the original model, making compliance more achievable while maintaining strong security standards. This updated framework reduces the original five certification levels down to three:

Level 1: Basic cyber hygiene practices, for the protection of Federal Contract Information (FCI). Organizations must implement 15 practices aligned with Federal Acquisition Regulation (FAR) 52.204-21.

Level 2: Aligned with NIST SP 800-171 Rev 2, this level applies to covered contractor information systems that handle CUI. It includes 110 security controls and 320 assessment objectives required by NIST 800-171.

Level 3: Intended for companies with more sensitive CUI, Level 3 includes all NIST SP 800-171 requirements and enhances those requirements with 24 additional practices from NIST SP 800-172, focusing on defending against advanced persistent threats (APTs).

Self-Assessment and Certification:

Under CMMC 2.0, organizations handling only FCI at Level 1 will be required to conduct annual self-assessments. For Level 2, companies handling critical CUI must undergo third-party assessments or self-attest depending on the criticality of the contract. Level 3 requires a CMMC Level 2 C3PAO assessment followed by a Level 3 assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Why CMMC is Important

The DoD created CMMC to ensure that companies in the DIB have adequate protections in place to secure sensitive information and defend against cyber threats. Compliance with CMMC 2.0 helps protect national security, secure supply chains, and build trust between the DoD and its contractors.

For organizations in the defense supply chain, preparing for CMMC 2.0 requires:

  • Implementing controls based on NIST 800-171 Rev 2 (for Level 2),
  • And obtaining certification through third-party or self-assessments, depending on the level of compliance required.
Retrieved from "https://cooey.wiki/index.php?title=CMMC_Overview&oldid=137"