By now, you’ve likely heard the question more than once. What is CMMC compliance? As it turns out, this is far from an unreasonable question to ask. If you happen to be a DoD contractor who is not well versed in the ins and outs of cyber security, the CMMC discussion can sound quite overwhelming. This is especially true when you consider that your compliance with CMMC can affect your ability to do business. Additionally, the information and guidance around this measure are changing rapidly.
The good news is that DoD contractors have been anticipating CMMC for quite some time now. As such, the information is clearer than ever before. The Department of Defense has also had the time to tailor its expectation to better address the diversity of business that exists across the Defense Industrial Base. So, if you’ve only recently been made aware of CMMC, this is a good time to get educated.
So, what is CMMC compliance? CMMC is an acronym for Cybersecurity Maturity Model Certification. CMMC emerged as a means to create uniform cybersecurity standards for DoD contractors that could then be verified by an accreditation body. Before CMMC was developed, contractors were on the honor system and were only required to self-certify. CMMC mandated that a contractor’s cybersecurity systems had to be audited by a third party that was sanctioned by the Department of Defense.
This caused quite a stir when it was announced. Many firms argued that the strict uniform standards implemented across the sector unfairly burdened certain contractors based on the nature of their businesses. The DoD has been receptive to these concerns which gave way to the more recent program known as CMMC 2.0.
CMMC 2.0 seeks to achieve the same goal as its predecessor in was that is more streamlined and contextual. Where the first iteration of CMMC had very little room for exceptions, CMMC 2.0 has revised the existing standards to address the differences in the way businesses handle information. These revisions impact two critical parts of the Defense Federal Acquisition Regulation Supplement. These are:
- Controlled Unclassified Information (CUI)
- High-Value Assets (HVA)
CMMC 2.0 has three maturity levels that correspond with a contractor’s relationship to CUI and HVA.
- Level 1 is known as Foundational by the DoD. Level 1 is for contractors who handle neither HVA nor CUI. These firms will be permitted to continue self-certification of their systems.
- Level 2, referred to by DoD as Advanced is for firms that handle CUI, but do not handle HVA. Under the Advanced level, firms with CUI that is not considered to be Critical National Security Information will be allowed to self-certify. Conversely, firms that handle CUI that is classified as CNSI will need to be audited every three years.
- Level 3, or Expert is for firms that handle HVA. Details are still emerging for this maturity level. Firms required to comply with Level 3 should expect to be audited by the DoD rather than a third-party accreditation service.
For more valuable information visit this website