What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. The United States Department of Defense is implementing the CMMC as a unifying standard for the implementation of cybersecurity across the federal government’s Defense Industrial Base (DIB). The goal of CMMC is to provide increased assurance to the Department of Defense (DoD) that a DIB company can protect sensitive unclassified information. Any loss of such unclassified information from the DIB sector increases risk to national economic security and in turn, national security. The new CMMC framework is intended to serve as a verification mechanism in order to assess and enhance the cybersecurity posture of the DIB sector. Those apart of the DIB must be certified by 2026. This includes contractors and subcontractors.


How is the CMMC different from current cybersecurity standards?

Unlike NIST 800-171, the new CMMC framework possesses five levels. The model is cumulative, where each higher level includes enhanced practices and processes in addition to those specified in the lower levels. The CMMC model offers cybersecurity practices in addition to the security requirements specified in NIST 800-171.


Who can perform CMMC assessments?

Only authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments of DIB companies’ unclassified networks. C3PAOs can issue the appropriate CMMC certificates based on the results of the assessments. C3PAOs must be CMMC complaint and meet DoD requirements. Currently, there are no fully authorized C3PAOs, meaning official CMMC assessments are not yet available. They are expected to start becoming available later in 2021.


What should your organization do in the meantime?

You can start preparing for CMMC compliance now by doing a Readiness Assessment with a Registered Practitioner Organization (RPO), like Anchor Technologies. They will help you understand where your organization stands in relation to CMMC compliance and determine any gaps. Achieving CMMC certification will take time and planning. A Readiness assessment will map your organization’s current cybersecurity program, policy, and procedures against CMMC compliance requirements. Once you understand where you stand, you can begin the process of remediation and become one step closer to CMMC certification.


How to choose an Registered Practitioner Organization (RPO)

DIB companies can select a RPO from the CMMC-AB Marketplace website and recommends planning for certification a minimum of 6 months in advanced. You can view Anchor Technologies on the CMMC-AB here. Anchor offers a structured approach to mitigate security gaps in preparation for mandatory CMMC compliance requirements and can help you navigate CMMC compliance.


For more information and CMMC FAQ’s, go to the Office of the Under Secretary of Defense for Acquisition & Sustainment’s CMMC FAQ page.