CMMC

A unified cybersecurity standard developed by the U.S. Department of Defense (DoD) to ensure that defense contractors and subcontractors adequately protect sensitive unclassified information. CMMC includes multiple compliance levels, each with specific security controls.

The process of getting ready for a CMMC assessment by reviewing current cybersecurity practices, implementing required controls, conducting gap analyses, and collecting documentation. Preparation often involves working with a CMMC consultant or advisor.

The CMMC foundational level, focused on basic cyber hygiene. CMMC Level 1 requires organizations to implement 15 security requirements in FAR clause 52.204-21.17, such as controlling physical access and using antivirus software. It is intended for contractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

An intermediate level of CMMC designed for organizations that process, store, or transmit CUI. CMMC Level 2 includes 110 practices based on NIST SP 800-171. It requires either a self-assessment or a formal assessment by an Authorized CMMC Third-Party Assessor Organization (C3PAO) and demonstrates that an organization can safeguard CUI against advanced persistent threats (APTs).

An advanced CMMC level designed for organizations that handle CUI. CMMC Level 3 requires DoD contractors and subcontractors to undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.