Established by the United States Department of Defense (DOD), the Cybersecurity Maturity Model Certification (CMMC) is a framework designed to fortify the cyber defenses of government contractors.
The program aims to safeguard confidential information within the DOD supply chain by requiring comprehensive third-party assessments of the security practices of both contractors and subcontractors alike. In essence, CMMC outlines the specific IT security standards businesses must satisfy in order to secure lucrative government contracts.
CMMC was introduced in response to a string of security breaches targeting sensitive federal data. The high profile nature of those exploits led the DOD to reexamine the security capabilities of its ecosystem. The agency determined that the insufficiency of current standards, combined with the lack of accountability from resource-strapped subcontractors rendered the supply chain extremely vulnerable to cyber threats.
CMMC is defined by its three core principals
- Maturity levels: DIB entities are required to meet compliance standards at levels that become increasingly stringent depending on the sensitivity of the data in their possession.
- Third-party audit requirements: CMMC assessments are required to verify and validate the proper implementation of IT security standards defined by the DOD.
- Mandatory compliance: In order to secure work with the DOD, companies must achieve full compliance at the CMMC levels specified in the contract.
The Need for CMMC
Cyber attacks have grown in frequency and gravity as technology continues to advance. In attempt to mitigate the issue, the DOD implemented the NIST SP 800-171 framework, a set of standards that encouraged stronger security practices among government contractors. Despite being rooted in good intentions, the initiative was doomed to fail. Compliance was based on in-house assessments conducted by each individual contractor. With no viable way to measure adherence and cyber security prowess, the standard was only loosely adopted, which proved problematic as the threat landscape evolved.
The uncertainty of NIST SP 800-171 inspired the DOD to seek out alternatives. In 2019, the agency unveiled the CMMC, a framework modeled after NIST SP 800-171 and other regulatory standards mandated to industries beyond the government realm. While the new standard offered the third-party visibility the previous program lacked, the idea of CMMC was largely met with confusion in regard to the requirements.
A New and Improved Standard
In November, 2021, the DOD introduced a revamped cyber security initiative in CMMC 2.0. The updated standard promised to retain the core objectives of the original program, with an added focus on clarifying and simplifying the requirements that seemed to leave the collective Defense Industrial Base (DIB) with more questions than answers. In addition to eliminating specific certification tiers, CMMC 2.0 places greater emphasis on self-policing by reducing the role of third-party auditing.
Although contractors and subcontractors are still accountable for fostering a secure operational environment, the addition of independent assessments will enforce a greater sense of culpability to ensure adequate security measures are met across the supply chain before contracts are awarded.
Upon introducing the first iteration of CMMC, the DOD had aspired to grant a total of 15 pilot contracts as a means to test its assessment process before embarking on the 2025 compliance deadline. With 2.0 added to the equation, the department has opted to forgo the piloting program and more notably, remove CMMC compliance from contractor obligations until the updates are formally integrated into federal legislation.
CMMC 2.0 has been praised for its approach to prioritizing cyber security initiatives in the DIB space, while giving small and medium-sized businesses an easier path to compliance. In the meantime, the DOD is using a combination of rulemaking and input via a public comments period to finalize the revised framework. Needless to say, CMMC is a developing standard every contractor needs to keep locked on their radar.