CMMC Compliance
CMMC (Cybersecurity Maturity Model Certification) compliance refers to the mandatory adherence of Department of Defense (DoD) contractors to cybersecurity standards aimed at protecting sensitive information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0, the current version, streamlines compliance into three levels, each with specific requirements based on the type of information handled. Depending on the level, compliance is verified through self-assessment, third-party assessments (by C3PAOs), or government-led assessments (by DIBCAC). CMMC compliance is heavily based on the NIST SP 800-171 standard.
Level 1 compliance requires annual assessment.
Levels 2 & 3 compliance requires assessment every 3 years.
Authorities For Further Research(i) Federal Information Security Modernization Act (FISMA), 44 U.S.C 3554.
(ii) Code of Federal Regulation, 32 CFR Part 170.
(iii) National Institute of Standards and Technology (NIST) SP 800-171 standard.
