What is the Cybersecurity Maturity Model Certification (CMMC)?

The intent of the U.S. Department of Defense’s Cybersecurity Maturity Model Certification is to better assess and enhance the cybersecurity of the Defense Industrial Base (DIB). The CMMC will create a verification program to ensure that adequate controls and processes are in place to protect controlled unclassified information (CUI) that resides on Department of Defense and Department of Defense contractors’ networks.

The Department of Defense advised that the CMMC will:

  • Review and combine various cybersecurity standards and best practices.
  • Build upon existing DFARs cyber regulations (DFARS 252.204-7012) by adding a verification component.
  • Create a cost-effective and affordable means for small businesses to implement CMMC.
  • Establish differing levels of CMMC controls and processes to reduce risk against specific forms of cyber threats.
  • Ultimately require all Department of Defense contractors to have cyber audits and risk assessments by independent third-party certified organizations.
  • Provide for “higher level assessments” to be conducted by U.S. government agencies, such as the Defense Contract Management Agency (DCMA) and Defense Counterintelligence and Security Agency (DCSA).

When does CMMC go into effect?

The initial CMMC framework will be available in January 2020 for training purposes, with additional requirement information becoming available to Department of Defense contractors in June 2020.

What are the penalties for failing to comply with CMMC?

More information is forthcoming at the conclusion of the training phase.