Cybersecurity Maturity Model Certification (CMMC)

What Is CMMC?

CMMC stands for the Cybersecurity Maturity Model Certification and is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and new certification model to ensure that DoD contractors properly protect sensitive information. CMMC 1.0 had 5 levels and was replaced by CMMC 2.0, which has 3 levels, in November 2021.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the CMMC-Assessment Body (CMMC-AB), by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.

 Source: Compliance with Cybersecurity and Privacy Laws and Regulations | NIST

Why is CMMC important?

DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.

What’s different about CMMC?

The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by certified third-party assessors (C3PAO). Contractors must achieve certification before they can win future government contracts.

Does CMMC apply to all government contractors?

Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.

Who pays for the CMMC assessment?

Contractors pay for their CMMC assessments. The costs depend upon several factors, like the target CMMC levels. However, the DoD states that certain cybersecurity contracts can incur “allowable costs” that can help contractors pay for upgrades. CMMC does not allow contractors to perform self-certifications.

Print Friendly, PDF & Email