Understanding the Cybersecurity Maturity Model Certification

CMMC stands for Cybersecurity Maturity Model Certification, and it is the program that has been put in place to implement cybersecurity across the various channels of the Defense Industrial Base. Its implementation is meant to help verify the cybersecurity standards of businesses in the supply chain with CUI.

What Is CUI?

CUI stands for Controlled Unclassified Information, and it refers to information that the government creates or possesses. CUI refers to the following organizational index groupings:

·         Critical Infrastructure

·         Defense

·         Export Control

·         Financial

·         Immigration

·         Intelligence

·         International Agreements

·         Law Enforcement

·         Legal

·         Natural and Cultural Resources

·         NATO

·         Nuclear

·         Privacy

·         Procurement and Acquisition

·         Proprietary Business Information

·         Provisional

·         Statistical

·         Tax

All businesses with CUI will be required to get CMMC certified.

 

How Much Will It Cost to Get Certified?

The cost to get certified will vary per company depending on various factors such as the size of the company and the scope of their CUI. The Department of Defense will provide each company with a rough estimate of the cost for its CMMC assessments.

 

Do You Need to be Certified if You are a Subcontractor on a DoD Contract?

If you are the direct contractor with the DoD, you must be CMMC certified, but many subcontractors are also in the supply chain. The subcontractor certificate level will depend on the type of information they are given from their primary contractor.

 

Do You Need to be Certified if Your Organization Does Not Handle CUI?

If your organization has Federal Contract Information but does not possess, store, or transfer CUI, you must achieve level 1 CMMC certification.

If your company only produces Commercial-Off-The-Shelf products, you do not need to be certified.

 

What Does the Rollout plan for CMMC Look Like?

CMMC certification of the entire supply chain is going to take a long time. 2021 is just the first year of the rollout, and only 15 companies are expected to meet CMMC requirements as part of the CMMC pilot program. That number is expected to increase to 75 in 2022, 250 in 2023, 325 in 2024, and 475 in 2025.

By: Alex O’Reilly

 

Sources: https://www.acq.osd.mil/cmmc/faq.html

https://www.nqa.com/en-gb/resources/blog/July-2020/guide-to-cmmc

 

Amanda Adamscmmc, wosb, edwosb, cybersecurity, CyberComment