CMMC is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and new certification model to ensure that DoD contractors properly protect sensitive information.
DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.
The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.
Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.
Many higher education institutions are DoD contractors. They perform basic and applied research under contract and are also subject to CMMC. Helen Patton, former CISO at Ohio State, shares how CMMC affects the higher ed community and explains how to get started with CMMC.
Contractors pay for their CMMC assessments. The costs depend upon several factors, like the target CMMC levels. However, the DoD states that certain cybersecurity contracts can incur "allowable costs" that can help contractors pay for upgrades. CMMC does not allow contractors to perform self-certifications.
No. For example, companies that solely produce commercial-off-the-shelf (COTS) products do not require a CMMC certification..
CUI is information the government creates or possesses that a law, regulation, or governmentwide policy requires to be safeguarded. CUI information can only be handled only when using appropriate security controls.
DFARs detail the terms and conditions for DoD procurement contracts. CMMC builds upon certain DFAR Supplement (DFARS) clauses that subject contractors to CMMC requirements.
C3PAO is an entity that is authorized and accredited by the government to perform CMMC assessments. The C3PAO also issues CMMC certificates based on the results of the assessments.
The Office of the Under Secretary of Defense for Acquisition and Sustainment is a DoD organization that led the development of the CMMC program.
NIST SP 800-171 catalogs a comprehensive set of security controls that CUI requires. CMMC includes these controls in addition to practices, processes, and references from many other standards and sources.