What is CMMC?
CMMC stands for Cyber Security Maturity Model Certification. CMMC is a unifying standard for the implementation of cyber security across the Defense Industrial Base (DIB). The standard was released by the US Department of Defense (DoD) and became effective November 30th, 2020.
CMMC aims to standardize and improve cyber security practices within the Defense Department and Defense Industrial Base (DIB) ecosystem. CMMC ensures that DIB companies implement appropriate cyber security practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
What is Controlled Unclassified Information (CUI)?
CUI refers to sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect. The information includes the information the Government creates or possesses or information an entity creates or possesses for or on behalf of the Government.
Who does CMMC apply to?
CMMC applies to:
- Defense Industrial Base (DIB) contractors whose unclassified networks possess, store, or transmit Controlled Unclassified Information (CUI).
- Defense Industrial Base (DIB) contractors whose unclassified networks possess Federal Contract Information (FCI).
What is CMMC Accreditation Body (CMMC-AB)?
CMMC-AB is an independent organization authorized to operationalize CMMC in accordance with the US Department of Defense requirements. CMMC-AB authorizes and accredits CMMC Third Party Assessment Organizations (C3PAOs). CMMC-AB also authorizes and accredits CMMC Assessors and Instructors Certification Organizations (CAICO).
What is a CMMC Third-Party Organization (C3PAO)?
C3PAOs conduct CMMC assessments and issue CMMC certificates based on the results of the assessments. Accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020.
What does CMMC mean for cyber security?
CMMC enforces the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited by an independent third-party auditor or CMMC Third-Party Assessment Organization (C3PAO).
What are the CMMC Maturity Levels?
There are 5 CMMC levels, each with associated controls and processes. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor. The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
How often is CMMC needed?
A CMMC certificate is valid for 3 years.
CMMC Certification Methodology?
To achieve CMMC, organizations begin with consulting an RPO to design, assess and remediate their current cyber security posture. Next, they complete an assessment with an approved CMMC C3PAO. ControlCase is an approved CMMC Registered Provider Organization.