The Cybersecurity Maturity Model Certification (CMMC) is the newest Department of Defense (DoD) verification mechanism. It’s designed to ensure that cybersecurity controls and processes adequately protect controlled unclassified information, also known as CUI, that resides on defense industrial base systems and networks.
Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) was launched on January 31, 2020. CMMC maps cybersecurity best practices and processes to five maturity levels, ranging from basic cyber hygiene at level 1 to advanced and progressive cyber hygiene at level 5.
The ultimate goal of CMMC is to implement an appropriate level of cybersecurity across the defense industrial base supply chain. The DoD estimates the rollout of CMMC will affect over 300,000 companies. Most companies will be required to have a certification between level 1 and level 3 to qualify for government contracts.
Slow and Measured Rollout for CMMC Planned
Rolling out the requirements will be a slow and measured process. DoD handpicked the first 10 requests for information, or RFIs, that will include minimum CMMC certification requirements. These requests for information were scheduled to be submitted at the end of July or early August.
Requests for proposals (RFPs) will follow later this year. DoD expects to award the first contract in early 2021. The current plan is to have CMMC requirements in all new requests for information by 2026.
CMMC Preserves Five-Year Contract Timeline
DoD will not modify existing contracts to insert CMMC requirements, outside of extenuating circumstances. Thus, the five-year timeline provides for the general five-year contract cycle of one base year plus four option years.
This is the first in multi-part blog series on CMMC. Watch for for Part II of the CMMC series, coming soon, in which we’ll discuss the CMMC accreditation body.