History of CMMC

The History of CMMC

The Cybersecurity Maturity Model Certification (CMMC) has become a relevant topic for many organizations within the Defense Industrial Base (DIB). Many businesses are wondering whether they must be compliant and how they begin that process. Due to the nature of cyber threats the CMMC model has evolved since its inception which may make it difficult to keep up with. This blog seeks to provide a short history of what the CMMC is and how it has changed over the years.

The history of the CMMC goes all the way back to 2010 with Executive Order 13556. The CMMC model seeks to provide a standard for the protection, storage, and transmission of controlled unclassified information”(CUI) an it was this executive order that defined what constitutes CUI and how it is defined.

It wasn’t until 2019 that the Department of Defense actually announced the development of CMMC in order to move away from the current “self attestation” model of security. While the CMMC model today does allow for some self attestation it is much more complex and scrutinized by third parties. Since 2017, defense contractors had to self-assess against the NIST 800-171 standard. The CMMC was founded on these standards and was created as a way to better enforce NIST 800-171 requirements.

In November of 2020 CMMC 1.0 was implemented as an interim rule in all DoD contracts requiring to upload a SPRS score in compliance with NIST 800-171 and various DFARS requirements.

This first iteration of CMMC contained 5 maturity levels in ascending order.

  1. Level 1 – Basic Cyber hygiene
  2. Level 2 – Intermediate Cyber Hygiene
  3. Level 3 – Good Cyber Hygiene
  4. Level 4 – Proactive Cyber Hygiene
  5. Level 5 – Advanced and Progressive Cyber Hygiene

These 5 levels addressed the 110 controls of NIST 800-171 that are divided into 14 control families. All contractors were expected to comply with at least the first level while other contractors higher up were expected to comply with the more advanced levels. This model worked for a while, but soon it was replaced with CMMC 2.0

CMMC 2.0 was announced in November of 2021 and attempted to streamline the expectations of the previous models by downsizing the transitionary levels of 2 and 4.

Instead of 5 maturity levels CMMC 2.0 has only 3.

  1. Level 1 – Foundational
  2. Level 2 – Advanced
  3. Level 3 – Expert

This second version of CMMC is what will be written into contracts by May of 2023. It is important to understand that CMMC 2.0 will no longer only apply to prime contractors but will be applicable to 4th level vendors in some cases. This is why it is important to become complaint now. Depending on what your organizations security posture is you may have a lot of work to do.

CorpInfoTech helps you make sure that your entire network meets the requirements of NIST 800-171 and thus is also compliant to the CMMC model. Because the cyber landscape is constantly evolving it is important to get started now!

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

Comments are closed

Learn More

Learn More
error: Alert: This Content is protected!