The United States Government has introduced the Cybersecurity Maturity Model Certification (CMMC) initiative in response to the increasing frequency and severity of cyberattacks on the US defense industrial base (DIB).

Coming into effect in December 1, 2020, CMMC requires every organization involved in DoD contracts along the entire supply chain from research to manufacturing be prepared to certify they are compliant or risk losing their ability to be awarded contracts. To be CMMC compliant, an organization must be audited by a registered and approved third-party auditor.

CMMC draws from DFARS Clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” and requires IT departments to be NIST SP 800-171 compliant or more based on the controlled unclassified information (CUI) and other intellectual property (IP) involved.

The CMMC Framework consists of 17 Capability Domains that map to five levels ranging from “basic cyber hygiene” practices and “performed” processes to “advanced / progressive” practices and “optimizing” processes.  CMMC mandates organizations possess a plan of action and milestones (POAM) built on top of the already existing 110 security controls of NIST SP 800-171.