What is CMMC?
Initiated by the United States Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is a framework designed to measure the cybersecurity maturity level and align processes and practices with the type and sensitivity of the information that is to be protected.
The CMMC framework also evaluates the adoption of processes and best practices required to achieve a cybersecurity maturity level and assures that Defense Industrial Base (DIB) contractors are adequately protecting unclassified information types such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that reside on their systems and networks.
In other words, CMMC is a unified standard for adopting cybersecurity across the DIB sector and the DoD supply chain.
The Importance of CMMC
The CMMC model encompasses multiple cybersecurity standards, frameworks, and other references such as FAR clause 52.204-21, DFARS clause 252.204-7012, and NIST SP 800-171.
The main objective of CMMC is to protect the following unclassified information:
- Federal Contract Information (FCI): “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
- Controlled Unclassified Information (CUI): “Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
According to the latest studies conducted in 2020, it is estimated that the global cost of cybercrime is around $945 billion, which is more than 1% of the global GDP. In this light, the Department of Defense is actively working and has taken proper actions to protect data and minimize the risk of data breaches. As a result, the Cybersecurity Maturity Model Certification will soon be a mandatory requirement for all DIB contractors.
The Defense Industrial Base (DIB) is a global industrial complex whose objective is to support essential products and services such as research and development, design, production, delivery, and maintenance of military weapons systems in order to meet the U.S. military requirements. There are more than 300,000 companies involved in the DIB supply chain performing under contract with DoD. In order to sign a contract with DoD, the defense contractors are required to have their cybersecurity status audited and certified by an independent third party.
Hence, in order to become a prime contractor, they should meet at least one of the five CMMC maturity levels, which would serve as a verification mechanism that cybersecurity has been sufficiently adopted through the completion of independent validation activities. CMMC consists of five levels that demonstrate the “maturity” of the contractors’ cybersecurity practices. These levels range from “Basic Cyber Hygiene” to “Advanced or Progressive”, and allow the DoD to structure future contracts.
In addition, besides signing a contract, the continuance of a DoD contract will also depend upon CMMC compliance. Therefore, organizations that do not obtain a CMMC certification will not be permitted to receive or share DoD information related to programs and projects.
The Benefits of CMMC Certification
The main benefit to organizations that obtain a CMMC certification is the improvement of their processes and simultaneously enhancement of the protection of controlled unclassified information and intellectual property within the supply chain of the US DIB. This would contribute to reducing the $1 trillion cost (on average) due to cybercrime.
The benefits of CMMC certification, among others, include:
- Embracing a collaborative risk management approach which helps contractors in reducing risk against a specific set of cyber threats
- Adopting best practices across five maturity levels that range from basic cyber hygiene to advanced or progressive
- Preparing for and preventing cyber incidents
- Recovering from a cyber incident without financial penalization
- Maximizing the cybersecurity resilience of the DoD and DIB
How can PECB help?
PECB is among the first organizations approved as a Licensed Partner Publisher (LPP) for the Cybersecurity Maturity Model Certification (CMMC). The training courses provided by PECB will be based on the training curricula approved by the CMMC-AB’s Body of Knowledge.
Nonetheless, PECB has decided to also develop a Foundation-level training course, in order to help interested parties understand this new type of certification. The PECB CMMC Foundations training course enables participants to understand the structure of the CMMC model including levels, domains, capabilities, processes, and practices.
They will also gain basic knowledge on the roles and responsibilities of the CMMC-AB ecosystem, assessment process and methodology, CMMC Code of Professional Conduct, and more. Although this training course is not approved by the CMMC-AB, it does lead to certification provided by PECB upon completing the training course and successfully passing the exam.