The Department of Defense created the Cybersecurity Maturation Model Certification (CMMC) as a cybersecurity standard for the Defense Industry Base (DIB). As a nation we must protect the supply chain of 300,000 companies globally. CMMC is required for all DoD contractors dealing with CUI per the Interim Rule.
CMMC assessments occur across five levels of maturity, with level 1 requiring the most basic cybersecurity and level 5 requiring the most advanced with 171 embedded practices and processes.
Do you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)? If you answered yes, then you need an assessment.
Federal Contract Information is anything created by the federal government that is not meant for public release.
Companies that hold FCI will at a minimum, the put into place, safeguarding requirements outlined in FAR clause 52.204-21.
Level One CMMC assessment is recommended for Companies that hold FCI. This can include a plumber who has schematics for job to a machine shop.
Controlled Unclassified Information is any information generated by the government or for the government with protections covered by federal law or regulations.
Companies that hold or create CUI will be required to demonstrate CMMC compliance via a CMMC third party assessor organization (C3PAO) assessment. Readiness represents a major investment, and the CT CMMC Coalition offers various resources that can help.
Thus the highest realization of warfare is to attack the enemy’s plans; next to attack their alliances; next to attack their army; and the lowest is to attack their fortified cities. Sun Tzu