CMMC (Cybersecurity Maturity Model Certification) is a cyber security certification standard developed by the US Department of Defence (DoD). CMMC requires contractors and subcontractors working with DoD to adopt specific cybersecurity practices and policies to ensure the security of sensitive data. The purpose of this standard is to serve as a compass to increase the cyber security maturity of organisations in the US defence industry and to ensure the security of sensitive data.
Why is CMMC important?
It ensures that companies working with DoD meet a certain cyber security standard. Protection of Sensitive Data: It protects against cyber-attacks by increasing the security of sensitive data, and having CMMC certification allows companies to do more business with the DoD and gain a more respected position in the industry. CMMC has become a mandatory requirement for DoD contractors.
What are the maturity levels of the CMMC?
The CMMC includes five different maturity levels, with each level representing an increasing level of maturity in terms of cyber security practices and policies:
- Level 1: Basic Cyber Hygiene
- Level 2: Advanced Cyber Hygiene
- Level 3: Good Practices
- Level 4: Advanced
- Level 5: Preventive
Each level requires the implementation of specific cyber security controls and practices. The CMMC is based on National Institute of Standards and Technology (NIST) Special Publication 800-171 and other cyber security standards.
For which organization’s CMMC important?
- The CMMC is extremely important for companies working with the US Department of Defence. The CMMC requires companies participating or seeking to participate in DoD contracts to meet certain cybersecurity standards. It is especially important for the following types of companies:
- Companies Working in the Defence Industry: Contractors and subcontractors doing business directly or indirectly with the US Department of Defence may be subject to CMMC certification.
- Technology Companies: Companies providing information technology, cybersecurity, software development and other technology services,
- Aerospace Industry: Companies operating in the aerospace industry and working with DoD must also comply with the CMMC.
- Manufacturing Companies: Manufacturing companies that supply parts and materials to the defence industry must also meet CMMC standards.
- Logistics and Supply Chain Companies: Companies that manage the supply chain of goods and services required by the DoD must meet the CMMC to protect sensitive data.
- Research and Development Companies: Companies that conduct research and development projects for DoD must also comply with the CMMC.
CMMC’s New Rule
The US Department of Defence published a new draft rule for CMMC (Cybersecurity Maturity Model Certification) in December 2023. This draft aims to improve public-private coordination and better protect sensitive information from cyber threats while simplifying compliance. The new rule provides a tiered security model for contractors and subcontractors, defining three different levels:
Level 1: Represents basic security measures.
Level 2: Requires implementation of the 110 security measures specified in NIST SP 800-171.
Level 3: Requires the implementation of 24 additional security measures specified in NIST SP 800-172.
This rule requires contractors to achieve certain CMMC levels to be competitive in certain procurements. For more information, please contact us at sales@cfecert.co.uk.
