What is Cybersecurity Maturity Model Certification? Who does it apply to? Why is it necessary? When does it become a requirement? How do you get started?
All good questions, ones that we will seek to answer below.
What is Cybersecurity Maturity Model Certification?
According to the Lockheed Martin website, CMMC is a new requirement for existing U.S. DoD contrators - "The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on contractor / subcontractor networks."
Who does it apply to?
Defense contractors and subcontractors, anyone who is working with the U.S. Department of Defense.
Why is it necessary?
The U.S. DoD answered this succinctly in their memorandum on understanding Cybersecurity Maturity Model Certification: "CMMC has, and will remain a priority for the Department, and will safeguard our enterprise against cyber theft losses that cost our Nation $100 billion annually, and $600 billion worldwide, equating to 1% of global GDP."
CMMC is already evolving...
September 2020 - the DoD publishes an interm rule to the DFARS in the Federal Register for the initial version of the CMMC program.
March 2021 - the Dod initiates an internal review of CMMC implementation, influenced by public comments, this assessment leads to a refinement of the policy and program by cybersecurity leaders.
November - the DoD announces CMMC 2.0, an updated program structure with new requirements, informed by the internal review's findings.
References and Additional Resources:
United States Department of Defense:
CMMC Accreditation Body or CMMC-AB