CMMC stands for “Cybersecurity Maturity Model Certification” and encompasses 5 maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.” DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
Your company will engage directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Currently there are no companies accredited but the CMMC Accrediting Body is working with companies to provide a means for overall certification of 3rd party organization. (https://www.cmmcab.org/) Your company’s DoD contracts will specify the level of the certification required based on your company’s governmental requirements for safeguarding information on your company’s site. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.