The intent of the U.S. Department of Defense’s Cybersecurity Maturity Model Certification is to better assess and enhance the cybersecurity of the Defense Industrial Base (DIB). The CMMC will create a verification program to ensure that adequate controls and processes are in place to protect controlled unclassified information (CUI) that resides on Department of Defense and Department of Defense contractors’ networks.

The Department of Defense advised that the CMMC will:

• Review and combine various cybersecurity standards and best practices.
• Build upon existing DFARs cyber regulations (DFARS 252.204-7012) by adding a verification component.
• Create a cost-effective and affordable means for small businesses to implement CMMC.
• Establish differing levels of CMMC controls and processes to reduce risk against specific forms of cyber threats.
• Ultimately require all Department of Defense contractors to have cyber audits and risk assessments by independent third-party certified organizations.
• Provide for “higher level assessments” to be conducted by U.S. government agencies, such as the Defense Contract Management Agency (DCMA) and Defense Counterintelligence and Security Agency (DCSA).