Welcome to our new mini blog series, CMMC to the Core, where we will walk you through everything you need to know about CMMC.

In this five-week mini-series we will give you an overview of what CMMC is, who it applies to, why it matters, how to become certified, and what resources are available to help along the way. The best part? We are walking right alongside you as we work towards our own CMMC certification! Because of the nature of the requirement, it is vitally important that every member of the federal supply chain, from large system integrators to small business service providers, understand and make a plan to complete certification, and we’re here to help others on their way.

Today we’ll break down CMMC and CMMC 2.0, because yes, the original program has already been revised.

So, without further ado, let’s dive in!

What is CMMC?

Awareness of CMMC has grown slowly throughout the industry since it was first announced by the DOD in the summer of 2019, so you may have seen and heard the acronym. CMMC stands for Cybersecurity Maturity Model Certification. It is a program established to enhance the cybersecurity posture for all Department of Defense (DOD) contractors, known as the Defense Industrial Base (DIB).

CMMC’s little brother, NIST 800-171, began the important work of defining cybersecurity standards in 2015 but lacked the enforcement necessary for industry to fully comply.

CMMC serves as a set of cybersecurity standards designed to protect the Government’s sensitive unclassified information (defined in CMMC as Covered Unclassified Information, or CUI) possessed and shared amongst the DIB. Once CMMC is fully implemented, DOD contract awards will require all contractors and subcontractors to hold a CMMC certification.

What is the CMMC Model Framework?

The CMMC Model is designed to be a tiered framework ranging from basic cyber hygiene to Fort Knox style security. Understanding that not all contracts contain the same level of sensitive information, this tiered model allows contractors to align their cybersecurity program to meet scaling requirements of contract opportunities.

Each level consists of escalating cybersecurity standards and requirements for implementation, in addition to documented policies and procedures.

Implementing the controls in each advancing level will, in theory, provide greater protection against cyber threats.

CMMC 2.0

Originally, CMMC consisted of five certification levels, starting at basic (Level 1) all the way to advanced (Level 5).

After an internal review of the program, on November 4^th, 2021, the DOD released CMMC 2.0 to simplify the program and provide necessary clarity on the requirements.

The major changes included:

• Security levels were reduced from five levels to three (Foundational, Advanced, and Expert)
• Third party certification requirements were reduced
• Plan of action and milestones (POA&Ms) were implemented

We hope this breakdown has helped provide a general understanding of CMMC.

Be on the lookout for our next edition of CMMC to the Core, where we will cover who must be CMMC certified.

Please note: CMMC 2.0 will not be a contractual requirement until the Office of the Secretary of Defense (OSD) completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.