CMMC

In November 2021, the U.S. Department of Defense (DoD) introduced major updates to the Cybersecurity Maturity Model Certification(CMMC) program. These changes left many organizations in the Defense Industrial Base (DIB) wondering: Do we still need to comply with CMMC certification requirements?

The short answer is yes, but the more important question is which Level of CMMC certification applies to your organization. The required Level depends on the type of sensitive data you handle in your current or prospective DoD contracts. Understanding this distinction is critical, as it determines the cybersecurity controls you must implement—and how soon you need to meet them.

If your organization works with government entities as a contractor, you probably have some questions about NIST SP 800-171, CMMC, or even NIST SP 800-53 compliance. Below, we’ll answer questions like what is NIST SP 800 171, how does CMMC differ from it, and what are NIST 800-53 controls? Understanding the answers to these questions covers most everything you need to know for the DoD compliance efforts necessary to secure lucrative contracts with the military and other agencies.

The Cybersecurity Model Maturity Certification (CMMC) framework protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) processed by Department of Defense (DoD) contractors. On November 4, 2021, the DoD announced a massive overhaul of CMMC version 1.02 and the imminent release of CMMC 2.0. The new framework is not yet publicly available, leaving many organizations with questions about how they’ll need to adjust. 

If your company currently works closely with the Department of Defense (DoD) or plans to begin a lucrative partnership with the military, you will soon need to acquaint yourself with a managed security service provider (MSSP) that’s been vetted by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). There are many such organizations and many different kinds you’ll find on the CMMC AB Marketplace.

Companies need to ensure security over sensitive data to work with the Department of Defense (DoD) as a contractor or vendor.

Preparing for a CMMC Audit: What DoD Contractors Need to Know
Companies aiming for Department of Defense (DoD) contracts must demonstrate strong cybersecurity practices by achieving Cybersecurity Maturity Model Certification (CMMC). Successfully implementing CMMC leads to an official CMMC audit, which is a critical step toward earning preferred contractor status with the DoD. This guide will walk you through how to prepare effectively for a CMMC audit.

The Cybersecurity Maturity Model Certification (CMMC) is right around the corner.

By 2025 all Department of Defense (DOD) contractors will be required to have CMMC, and you will need a certified third-party assessment organization (C3PAO) to grant certification. 

Working as a contractor with the US Department of Defense (DoD) can provide lucrative short- and long-term opportunities for partnering companies. But it also requires strict adherence to multiple cybersecurity frameworks. The most recent of these, which has an ongoing roll-out, is the new Cybersecurity Model Maturity Certification (CMMC) framework. This framework is presided over by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S).

The US military and its broad network of businesses and individual contractors comprise the most critical infrastructure in the entire country. Any threat to the Department of Defense (DoD) resources and information could jeopardize all Americans’ security, both domestically and abroad.

Companies contracted with the Department of Defense (DoD) come into contact with sensitive information constantly. That’s why they need to comply with cybersecurity frameworks like the Cybersecurity Maturity Model Certification (CMMC) to retain preferred contractor status. One of the primary data types CMMC is designed to protect is the class of information known as “controlled unclassified information” (CUI).