The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to replace the self-certification previously required to demonstrate compliance with the NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” In 2021 CMMC was moved under the purview of the DoD CIO.
Under the new process, compliance will be assessed by an independent third party for levels 2 and 3, authorized by the CMMC Accreditation Body. Level 1 will remain self assessed. This is the current guidance although it has not been codified in official documentation. This is very much a work in process and subject to change at any time.
CMMC Estimated Timeline
- Currently under review
The Cybersecurity Maturity Model Certification Training is targeted for all personnel within the Defense Industrial base (DIB) that conduct work with the Department of Defense (DoD). Compliance with this new requirement is mandatory for all contractors who continue working with the DoD, regardless of company size or role on contracts.