CMMC - Cybersecurity Maturity Model Certification
The Office of the Under Secretary of Defense for Acquisition and Sustainment - OUSD(A&S) - recognizes that security is foundational to acquisition, and should not be compromised along with cost, schedule, and performance moving forward. All businesses in the defense supply chain, regardless of size, will require certification going forward to participate in contracts. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
A set of actionable resources is summarized below.
CMMC - Cybersecurity Maturity Model Certification - Resources
Theft of intellectual property and sensitive information from all industrial sectors as a result of malicious cyber activity threatens economic security and national security. This reality creates the need for enhanced security measures and certification (verification) for all businesses in the Defense Industrial Base (DIB). The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust, by adding a verification component (Certification) with respect to cybersecurity requirements. A "crawl, walk, run" approach is being introduced to phase in requirements from now through 2026.
The Maturity Model is a set of characteristics, attributes, indicators, and patterns that represent capability and progression in cybersecurity best practices. There are five levels of maturity in the model ranging with increasing capabilities, processes, and practices. Level One mirrors the NIST SP 800-171 framework that organizations are currently self-assessing for, and should be achievable without considerable additional effort assuming current compliance.
- Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification - Web Site - This site provides an overview of the CMMC program. Click through for the CMMC Model and Assessment Guides.
- CMMC Model and Assessment Guides - Resources - The first link is a 28 page PDF that provides an overview of the CMMC program. There is also a 54 page assessment guide listed there for Level 1 and additional guide for Level 3 assessment.
- Cybersecurity Maturity Model Certification (CMMC) - We advise any organization seeking certification to immediately review the first document - Link to PDF Put an hour on your calendar to read this document in detail. It covers the type of information that is protected: FCI - Federal Contract Information and CUI - Controlled Unclassified Information. It reviews the entire framework of capabilities, processes, and practices, and outlines what's needed for Level 1 through Level 5. It includes a very important detailed listing of all the List of Practices.
- NIST SP 800-171 - The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust (self assessment). The National Institute of Standards and Technology (NIST) has previously put together a cybersecurity framework that all defense suppliers are required to follow. The Defense Pricing and Contracting outlines Strategically Assessing Contractor Implementation of NIST SP 800-171. The site includes a 21 page PDF: NIST SP 800-171 DOD Assessment Methodology. There's a detailed scorecard starting on page 12. These are items that should already be addressed.
- CMMC Accreditation Body (CMMC-AB)- CMMCAB.org - This site explains the ecosystem of assessment and accreditation. When your organization is ready to be certified (Organization Seeking Certification - OSC), to prevent any conflict of interest, the certification must be done by a third party, not the IT company that consults with you (Ekaru). Certified Third-Party Assessment Organizations are known as C3PAOs.
- Guide for OSC moving from Supplier to CMMC Certified Supplier - The CMMC Assessment Roadmap. This resource from the CMMC-AB walks through the process of becoming certified. C3PAOs, C3PAOs,