CMMC - Introduction

The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.


OVERVIEW OF THE CMMC PROGRAM

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  • Tiered Model : CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement : CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts : Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.


THE EVOLUTION TO CMMC 2.0

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter
  • Dynamically enhance DIB cybersecurity to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards


KEY FEATURES OF CMMC 2.0

Learn more about CMMC 2.0

OUSD A&S - Cybersecurity Maturity Model Certification (CMMC) (osd.mil)

The CMMC lifecycle starts with the understanding that organizations need expert help to facilitate their journey through CMMC certification.

Best practice for organizations is to start by visiting CMMC-AB at cmmcab.org/marketplace/ to select a CMMC provider in your local area. You can search by name, city, or state. CMMC-AB provides this tool to help organizations ensure they are working with properly trained companies. Organizations should reach out to RPOs and ensure they have RPs attached to their profile. This can also be done at https://cmmcab.org/marketplace/

CMMC-AB requires that PAs have been vetted, verified, and confirmed by CMMC-AB as an organization that has been trained to perform self-assessments, and has been given all the latest information on CMMC regulation as it pertains to obtaining your independent certification.

What do I do?

  • First step in the CMMC journey is to find a trusted advisor that can provide advice on your next steps
  • Perform research at cmmcab.org/marketplace/ to ensure your trusted advisor has meet the criteria and is listed within the marketplace
  • Each CMMC PA on the marketplace has been trained by CMMC-AB
  • This method will ensure your working with trained resources who have been trained by the CMMC-AB

What can Solvitur do to help?

Solvitur leverages trained CMMC PAs that can be found in the CMMC-AB marketplace at: CMMC-AB Marketplace

Our PAs follow these basic steps:

Step 1 - Self-assessments

Step 2 - Remediation (POA&M)

Step 3 - Schedule C3PAO Assessment

Step 4 - Audit preparation

As PAs, we will assist and support your organization in identifying gaps within your necessary maturity level. Solvitur can:

  • Help you understand which capabilities are currently being met, which capabilities are planned, what needs to be prepared for, and which capabilities are currently not applicable
  • Assist in identifying gaps, creating a Plan of Action and Milestones (POA&M) to help manage the remediation process
  • Manage and provide hands-on remediation for any deficiencies documented in our self-assessment