This is the first of a series we’ll be posting, and to begin we're going to spend some time talking about the new CMMC. You may have read a bit about this or you may have leapt feet first into assessing where you stand, but if you do business with the Department of Defense you’ll have to address this in the coming years.
What is the CMMC?
The CMMC, or Cybersecurity Maturity Model Certification, is a certification procedure developed by the Department of Defense to certify that contractors working with the department have the necessary controls to protect sensitive data. Specifically this data is called Controlled Unclassified Information, or CUI. As part of our first blog on this topic we’ll be providing some definitions and information on what is CUI and why it’s important and how it’s used.
What do I need to know about CMMC?
There are seventeen (17) specific domains within the certification, leading to five (5) levels ranging from basic hygiene to state of the art security. Most of those I’ve spoken with anticipate being within Level III. We’ll be posting about what those levels mean and what it will take to be in each level in the near future.
While the CMMC is based upon the NIST standards already in place and DFARS, it does differ in one key way. There is no self-certification. In other words you will be required to obtain certification through a third party assessment organization, or 3PAO. The first of these will come on line in May of 2020. Another thing to bear in mind is that certification and compliance does not mean security, just that you have appropriate measures in place.
On our next blog and video we’ll dive deeper into specific topics relating to the CMMC. We will also be keeping up on any important changes. For now the first posts will be on what the CMMC is (in more depth). Additionally we will talk about what you’ll have to do now, and what you’ll have to do in the future. With each blog post we’ll be shooting some short videos.