CMMC 2.0
Securing the Defense Industrial Base.
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB). It is a framework designed to protect the sensitive data of the Department of Defense (DoD) that is shared with its contractors and subcontractors.
CMMC is designed to enforce the protection of controlled unclassified information (CUI) that is shared with the DIB.
- Type: Security Framework
- Core Idea: Protection of Controlled Unclassified Information (CUI)
- Key Elements: 3 Levels of Certification, NIST 800-171 Controls
Core Components
Understanding the structure of CMMC.
Applicability
Mandatory for contractors in the Department of Defense (DoD) supply chain.
Status
Becoming mandatory for DoD contracts.
Core Requirement
Third-party certification against NIST 800-171 controls to protect Controlled Unclassified Information (CUI).
Output
A CMMC certification at one of three levels, awarded by a CMMC Third-Party Assessment Organization (C3PAO).
Perception
A necessary certification for any organization that wants to do business with the DoD.
Implementation & Strategy
Costs, timelines, and strategic considerations for adopting CMMC.
Estimated Project Costs
CMMC certification costs can vary widely, depending on the size and complexity of the organization. A small organization might spend between $50,000 and $100,000, while a mid-sized organization could spend between $100,000 and $250,000. Large, enterprise-level organizations can exceed $250,000.
Implementation Strategy
A typical CMMC implementation starts with a scoping exercise to identify all the systems that are in scope for CMMC. From there, the organization can perform a gap analysis to identify any areas of non-compliance. The final step is to undergo a formal audit by a C3PAO.
Comparisons
How CMMC stacks up against other security frameworks.