Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC) is a program established by the U.S. Department of Defense (DoD) to secure and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring the certification of external contractors across 14 different domains, each with three specified levels of certification.

CMMC is a unified standard for implementing cybersecurity across DoD’s contracting network, which includes over 300,000 companies in the supply chain. CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.

• Release date was January 1, 2020.
• The DoD began incorporating CMMC requirements into select RFPs / RFIs as of November 30 , 2020.
• By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. And while DoD was the catalyst for CMMC, it is now gaining traction across the Defense Industrial Base (DIB), including the Department of Homeland Security and other federal government departments and agencies – especially post SolarWinds.

Historically, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems.

Starting November 30, 2020, DoD began incorporating CMMC requirements into select RFPs, RFIs, and research contracts. By October 1, 2025, all DoD contract awards will require at least some level of CMMC certification. The model consists of 3 levels of maturity – foundational, advanced and expert – which is dependent on the type of information being handled. Each level also has different assessment requirements of either self-assessments, third party assessments, or government led. Entrust’s digital security portfolio including identity, certificate, and data protection solutions facilitates compliance with 9 CMMC domains across the three possible levels of certification.

Is the organization handling basic information, such as Federal Contract Information (FCI)? Or is it Controlled Unclassified Information (CUI)? FCI requires a Level 1 certification, but CUI requires at least a Level 2.

Where are the gaps between the organization’s current cybersecurity stance and the desired CMMC level? A gap assessment will be invaluable for defining a plan of action and milestones toward achieving CMMC cybersecurity maturity.

CMMC encompasses the security requirements specified in NIST SP 800-171, as well as additional requirements from other standards and sources, which varies by certification level. What will a gap assessment reveal about the organization’s current level of cybersecurity hygiene?

Keep in mind the ultimate goal of CMMC: Keeping FCI and CUI out of the hands of malicious cyber attackers.