Cybersecurity Maturity Model Certification (CMMC) Program – Part 1
The Cybersecurity Maturity Model Certification (CMMC) Program is a certification program introduced by the U.S. Department of Defence to protect national security information in response to the increasingly frequent and complex cyberattacks on the Defence Industrial Database (DIB). The programme’s goal is to preserve American ingenuity and national security. To achieve this, in view of the constantly evolving landscape of cyber threats, the DoD devised CMMC 2.0 to dynamically improve DIB cybersecurity to help safeguard the information that supports and enables the supply chain.
This new, enhanced framework upholds the initial goal of safeguarding sensitive information as well as:
- Simplifies the CMMC standard and provides additional clarity on cybersecurity regulatory, policy, and contract requirements;
- Focuses on the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
- Increases Department oversight of professional and ethical standards in the assessment ecosystem.
CMMC framework concept & features
- All DoD contract suppliers are required to be CMMC certified as a condition of contract award.
- The certification is required for all contracts where FCI (Federal Contract Information) or CUI (Controlled Unclassified Information) is processed.
- The framework requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels depending on the type of sensitivity of the information. In the 2.0 edition of the framework, this is architecture in the form of a three-level model:
- Level 1 – Foundational – the supplier conducts an annual self-assessment of 17 practices
- Level 2 – Advanced – the supplier is assessed by a third party for critical national security information with an annual self-assessment for selected programmes in 110 practices aligned with NIST 800-171
- Level 3 – Expert – the government assesses the supplier on over 110 practices aligned with NIST 800-172
- The assessments allow the DoD to verify the implementation of clear cybersecurity standards