The CMMC (Cybersecurity Maturity Model Certification) is a certification procedure developed by the Department of Defense (DoD) to certify contractors have the controls to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI).
The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one cohesive standard for cybersecurity.
Beginning this year, all contractors working for the Department of Defense, even subcontractors, must pass a CMMC Audit to ensure appropriate levels cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems.
To verify that DoD Contractors have met the appropriate level of cybersecurity controls, the DoD will deploy certified independent third party organizations to conduct audits on DoD Contractor information systems and inform risk. It is from this audit that a DoD contractor will be awarded a certification — or not.
DoD Contractors will need to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. DoD Contractors will specify the level of the certification requested based on the DoD Contractor’s specific business requirements.
Contractors will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
The CMMC consists of five levels of controls. Level 1 is designed for businesses that process little or no DoD data, but are on a DoD contract. Level 5 is for major contract bodies with heavy involvement with DoD Supply Chain and data control. This is the highest level of scrutiny and controls applied.
Each CMMC level encapsulates the previous level and adds an additional set of controls.
CMMC was initiated because the DoD felt it needed to screen contractors better due to increased cybersecurity issues. There has also been concerns regarding foreign entities possibly obtaining weaponry information. The example often used is the Chinese J-31 aircraft which has an uncanny resemblance to the American F-35 Joint Strike Fighter.
It’s believed contractors will need to be appropriately certified by the last quarter of 2020 in order to bid on DoD projects.
Want to learn more? Tonex offers Cybersecurity Maturity Model Certification Training, a 2-day course where participants learn about CMMC certification and its procedure developed by the Department of Defense (DoD) to certify contractors. This is an important training certification preparation course for contractors and subcontractors.
Additionally, Tonex offers nearly five dozen more courses in cybersecurity, including cutting edge courses like:
For more information, questions, comments, contact us.