What is CMMC?
The Department of Defense (DoD) currently requires that its contractors meet the requirements of NIST 800-171 however there is no audit and accountability for protecting Controlled Unclassified Information (CUI). This has led to the creation of the Cybersecurity Maturity Model Certification (CMMC).
CMMC is the certification process developed by the DoD as the next stage in properly securing the Defense Industrial Base (DIB). This standard is intended to replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2020. A key difference compared to NIST 800-171 is the CMMC will not contain a self-attestation component. Therefore, all organizations that do or intend on doing business with the DOD will be required to go through an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. CMMC model is defined with five maturity levels relating to both practices and processes with Level 1 as the most basic and Level 5 as the most advanced.