Here at StartProto, we acknowledge the importance of Cybersecurity Maturity Model Certification (CMMC) and CMMC compliance to mitigate threats to sensitive data. As a cloud-based software company that serves the manufacturing industry, we want all of our people to be able to explain CMMC and the recent changes that have been taking place.
What Is CMMC, What Does CMMC Stand For, and What Does CMMC Compliance Mean for Your Business?
What does CMMC stand for? CMMC stands for Cybersecurity Maturity Model Certification, a framework developed by the U.S. Department of Defense (DoD) to ensure that its contractors and suppliers meet specific cybersecurity standards. The Cybersecurity Maturity Model Certification (CMMC) program was introduced by the Department of Defense (DoD) to improve supply chain security in the defense industrial base (DIB). The CMMC program is a DoD program that applies to Defense Industrial Base (DIB) contractors, government contractors, or defense contractors. It is a unifying standard and new certification model to ensure that DoD contractors are properly protecting sensitive defense information. The framework and CMMC requirements include a set of cybersecurity controls and processes that contractors and suppliers must implement to achieve CMMC compliance and certification. The goal of the framework is to ensure that all contractors and suppliers in the DoD supply chain are meeting a consistent set of cybersecurity standards.
The DoD has implemented this framework of basic safeguarding requirements to improve the overall security posture of its supply chain, as it has become increasingly clear that cyber advanced persistent threats pose a significant risk to national security. Under CMMC, contractors and suppliers will be required to undergo an assessment by a third-party assessor to determine their cybersecurity processes' maturity level in order to mitigate threats.
What Are the 5 Levels of CMMC Certification?
There are five levels to achieve compliance certification, ranging from basic cyber hygiene to advanced cybersecurity practices. The level of CMMC certification levels and CMMC level required will depend on the sensitivity of the information being handled by the contractor or supplier.
The initial five levels of CMMC certification were as follows:
Level 1: Basic Cyber Hygiene
Level 2: Intermediate Cyber Hygiene
Level 3: Good Cyber Hygiene
Level 4: Proactive
Level 5: Advanced/Progressive
The CMMC 2.0 program, which is the next iteration of the Department’s CMMC cybersecurity model, has streamlined the requirements to three levels based on well-established NIST cybersecurity standards [1][2][3].
LEVELS OF CMMC 2.0
The CMMC framework includes a set of controls and processes that contractors and suppliers must implement to achieve certification. These controls cover areas such as access control, incident response, and system and information integrity. With the implementation of CMMC, all contractors and suppliers will need to demonstrate that they are meeting specific cybersecurity standards to continue doing business with the DoD. The CMMC outlines different levels at which an organization can be audited, the higher the level, the more complex the security practices will need to be. These CMMC levels can only be approved by a third-party assessor (no more self-assessments).
Why the CMMC Model Has Been Implemented
The Department of Defense initially used standards like the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) to regulate government acquisitions. The clauses included in FAR and DFARS acted as guidelines for both vendors and the government. These guidelines acted as security controls for businesses and our government to protect what the United States calls Controlled Unclassified Information or CUI. In short, CUI is information that any party generates during a DoD or government transaction that may retain critical information about that product or service. Even though CUI is not classified, even small details about a component used on a product could ultimately expose a weakness or proprietary information.
The problem the government found with DFARS and FAR was that there was no certifying body, leaving the system to be dependent on trust. Previously, self-certification was the norm, and many contractors and suppliers did not have the necessary cybersecurity practices in place. Without the monitoring and audits that come with certification programs, many contracts that may have been written to comply with DFARS and FAR are no longer being closely followed, exposing our country's CUI to adversaries.
The solution to this problem is now the Cybersecurity Maturity Model Certification (CMMC), or CMMC model. CMMC encompasses cybersecurity and information security clauses from both DFARS and FAR and outlines a new framework incorporating a certification process into DFARS. Similar to DFARS, the purpose of CMMC is to enhance the protection of controlled unclassified information (CUI) and Federal Contract Information (FCI) within the DoD supply chain.
CMMC will protect the government's FCI and CUI in today's digital world.
Implementing CMMC is a significant change for DoD contractors and suppliers, but it is a necessary step to improve the overall security posture of the DoD supply chain.
Time to Prepare
Defining CMMC has been a sensitive and evolving process. One thing is certain, there will be a requirement for CMMC compliance for all Defense Industrial Base members and Defense Supply Chain members. As of today, the government would like to see an implementation deadline date for the fiscal year of 2026 (aka October 1st, 2025). Considering the sheer number of companies that will need to get compliant, assessed, and then audited, some challenges will be involved with getting there. The DoD is insistent that they will meet these deadlines.
Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements. The final publication of requirements has the industry is waiting for the U.S. Department of Defense to finalize the newest version of CMMC 2.0. We are expecting these 2.0 requirements to be available in 2023.
For more on the changes, visit https://www.acq.osd.mil/cmmc/index.html.
Conclusion
Move your manufacturing to the cloud
Blogs & Resources
Industry trends, manufacturing business tips, and more