Update 2/2024: After a 60-day public comment period ending on February 26th, 2024, the CMMC proposed rule has been sent back to the hands of rule makers to make necessary changes and respond to comments made.
Cybercrime waits for nobody. Cyber criminals are ready and willing to attack any organization that remains behind the curve. Unfortunately, some of the most lucrative hits for hackers are organizations partnered with the federal government. Federal contract information (FCI) and Controlled Unclassified Information (CUI) released by the government to its private contractors can be extremely detrimental in the wrong hands, which is why The Department of Defense developed The Cybersecurity Certification Maturity Model. The CMMC is a framework that seeks to develop standardized sets of practices and controls to help protect organizations from unwittingly releasing classified information entrusted to them.
CMMC 2.0 applies to any organization being contracted by the Defense Industrial Base (DIB)
Who needs to comply with CMMC 2.0? Anyone who works directly with the DIB must comply to some if not every level of the CMMC 2.0 model in order to handle certain types of CUI. Organizations that have access to FCI will only be required to comply with Maturity Level One(Foundational). Furthermore, any CUI will automatically require compliance at ML2(Advanced) while the federal contracting officer may specify the need for ML3(Expert) compliance depending on the situation.
Once again this applies to any organization working with the DIB regardless of the industry or size of the organization. If you believe that this may apply to your business you can contact CorpInfoTech to find out how you can get started.
However, if you are already aware of you need to comply to CMMC 2.0, your next question may be: by when do I need to become compliant?
The first model of CMMC has been fully depreciated in exchange for the current model CMMC 2.0. This second iteration consolidates the 5 levels of the first into 3: Foundational, Advanced, and Expert. This new model is still being developed and pending approval from various agencies. As of July 2023, the CMMC rule has been sent to the Office of Management and Budget for review. Once reviewed, the rule will enter into a public comment period. Once the necessary changes have been made, contractors can expect to see CMMC implemented as a final rule in late 2024-early 2025.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.