Explain cybersecurity maturity model certification (CMMC)
Before the National Defense Authorization Act for fiscal year 2021 was passed, the United States Government had been working on a single, unified program for training, certification, and third party assessment of cybersecurity for the defense industrial base.
The Defense Industrial Base, or DIB, refers to the governments assets that are used in the production of equipment for the country's/region's armed forces.
The model, known as CMMC, is a "comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks."
Three key features
CMMC 2.0 focuses on three key features.
Tiered model
The CMMC framework uses a tiered model. When a company is provided access to national/regional security information, the type and sensitivity of the information determines the level at which the company must be certified. The intent of this tiering is to provide for information to flow to subcontractors.
CMMC assessments
The CMMC program framework provides the Department of Defense the ability to validate an organization's implementation of CMMC to meet cybersecurity standards.
CMMC required contracts
After CMMC is fully implemented, some Department of Defense contractors will be required to achieve CMMC certification as a requirement of the contract award.
Importance
CMMC is intended to address cybersecurity requirements for subcontractors to the the Department of Defense. The Defense Industry represents 3.5% of the gross domestic product of the United States. As such, it makes sense for CMMC to be tested at such a level.
While CMMC is a program being run out of the Department of Defense, in December of 2020, the General Services Administration noted that CMMC currently applies to Department of Defense government contractors, but that in the future, civilian and military contractors should prepare to meet CMMC.