The Cybersecurity Maturity Model Certification (CMMC) has become a relevant topic for many organizations within the Defense Industrial Base (DIB). Many businesses are wondering whether they must be compliant and how they begin that process. Due to the nature of cyber threats the CMMC model has evolved since its inception which may make it difficult to keep up with. This blog seeks to provide a short history of what the CMMC is and how it has changed over the years.
The history of the CMMC goes all the way back to 2010 with Executive Order 13556. The CMMC model seeks to provide a standard for the protection, storage, and transmission of controlled unclassified information"(CUI) an it was this executive order that defined what constitutes CUI and how it is defined.
It wasn't until 2019 that the Department of Defense actually announced the development of CMMC in order to move away from the current "self attestation" model of security. While the CMMC model today does allow for some self attestation it is much more complex and scrutinized by third parties. Since 2017, defense contractors had to self-assess against the NIST 800-171 standard. The CMMC was founded on these standards and was created as a way to better enforce NIST 800-171 requirements.
In November of 2020 CMMC 1.0 was implemented as an interim rule in all DoD contracts requiring to upload a SPRS score in compliance with NIST 800-171 and various DFARS requirements.
This first iteration of CMMC contained 5 maturity levels in ascending order.
Level 1 - Basic Cyber hygiene
Level 2 - Intermediate Cyber Hygiene
Level 3 - Good Cyber Hygiene
Level 4 - Proactive Cyber Hygiene
Level 5 - Advanced and Progressive Cyber Hygiene
These 5 levels addressed the 110 controls of NIST 800-171 that are divided into 14 control families. All contractors were expected to comply with at least the first level while other contractors higher up were expected to comply with the more advanced levels. This model worked for a while, but soon it was replaced with CMMC 2.0
CMMC 2.0 was announced in November of 2021 and attempted to streamline the expectations of the previous models by downsizing the transitionary levels of 2 and 4.
Instead of 5 maturity levels CMMC 2.0 has only 3.
Level 1 - Foundational
Level 2 - Advanced
Level 3 - Expert
It is important to understand that CMMC 2.0 will no longer only apply to prime contractors but will be applicable to 4th level vendors in some cases. This is why it is important to become complaint now. Depending on what your organizations security posture is you may have a lot of work to do.
CorpInfoTech helps you make sure that your entire network meets the requirements of NIST 800-171 and thus is also compliant to the CMMC model. Because the cyber landscape is constantly evolving it is important to get started now!