CMMC is a DoD certification process to measure a company’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC combines cybersecurity standards and maps these best practices and processes to maturity levels, from basic cyber hygiene to advanced/progressive.
All DoD contractors and subcontractors, regardless of their need to access sensitive information, will have their cyber acumen scored on a scale of 1 to 5. The Department of Defense will use the same scale to stipulate in solicitations the CMMC level required.
A CMMC Accreditation Body -- a neutral third party that will maintain the standard for DoD –- was established to train and verify third-party cybersecurity certifiers who will conduct audits. Additional information regarding the CMMC Accreditation Body is available at https://www.cmmcab.org/.
All contractors and subcontractors, regardless of their need to access sensitive information, must be audited and scored.
Additional information regarding DoD’s CMMC is available at:
Certification of cybersecurity compliance will be required for suppliers to do business with Land Systems and the U.S. DoD. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 5, and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 3.
Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third-party entities.
The CMMC Accreditation Body is developing the process for certifications. Refer to the “Organizations Seeking Certification” section of the CMMC Accreditation Body site for additional information: https://www.cmmcab.org/contractors.
- January 19, 2021: Virtual