Cybersecurity Maturity Model Certification (CMMC) – COMING SOON!

CMMC 1.0 was initiated by the U.S. Department of Defense (DoD) to protect the DoD Controlled Unclassified Information (CUI) that exists throughout the Defense Industrial Base (DIB) from our adversaries who would like to steal or sabotage the data.

The DoD initiated an internal review of the initial CMMC program leading to a refinement of the policy and program by cybersecurity leaders. As a result, The CMMC Standard was revised to 2.0 in November 2021. There are now 3 possible levels certification and the required level per vendor will be written in contracts by DoD.  These levels are determined based on data risk and the security controls are assigned based on this risk. Below are the level controls and the general applicability for reference: 

• CMMC Level 1 (ML1) Foundation: 17 practices. Could be applicable to a low-risk office supply vendor.  There is an option for self -determination by supplier. CMMC recommends suppliers still considering seeking  certification by an accredited C3PAO.

• CMMC Level 2 (ML2) Advanced: 110 controls, including NIST SP 800-171. Applies to vendors with DoD prints and specifications – often flown down requirements to operations like a machine shop or other component and product manufacturers.  Suppliers required to achieve triennial certification by an accredited C3PAO.

• CMMC Level 3 (ML3) Expert: 110 controls. This is applicable to a high-risk primary defense contractor such as Boeing, Lockheed Martin or Raytheon.  This level will be certified by US Government – DoD only.

DoD suppliers must implement the relevant maturity level of the CMMC Standard as specified by DoD in their contracts once the program is released.

Status:

• CMMC 2.0 DoD has finished with the Rule Making changes and the CMMC Title 32 Defense document is now with the Office of Information and Regulatory Affairs (OIRA) at the White House for review prior to approval.

• CMMC is conducting pilot audits for a few select organizations approved by DoD

• CMMC is training and approving auditors

• CMMC is taking applications from C3PAOs (like PRI Registrar)

• CMMC is approving trainers, training organizations, Registered Provider Organization (RPO), and Registered Practitioners (RP) to support suppliers with implementation

• Open market demand for certification for DoD suppliers is expected to begin mid-2024 or early 2025 pending final approval and publication of Title 32

For more information, please visit the CMMC website.

Performance Review Institute Registrar will be seeking CMMC accreditation as a C3PAO in 2024/2025.