Skip to navigation Skip to main content Skip to footer

Guidance for the Cybersecurity Maturity Model Certification (CMMC)

07 March 2023

Learn about the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) and why it may be the key to securing our nation's critical systems and intellectual property

Overview

In January 2020, the Department of Defense (DoD) unveiled version 1.0 of the Cybersecurity Maturity Model Certification (CMMC). The CMMC provides a consistent cyber framework for vendors doing business with the DoD, and it will require an attestation and certification by a third-party assessor.

In this guide, NCC Group, a global expert in cyber security and risk mitigation, provides insight into the CMMC and offers guidance for the nearly 300,000 companies that will need to demonstrate compliance in order to conduct business with the DoD.

The DoD responds to its most persistent threat

According to the Commission of the Theft of American Intellectual Property, the value of US trade secrets stolen by outside entities lies somewhere between $180 - $540 billion per year, amassing nearly 3% of the total economic output of the United States.

"The theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security."

These words, used by the Department of Defense (DoD) in an early version of the Cybersecurity Maturity Model Certification, highlight the pervasive issue of data loss within the Federal Government and its many levels of supply chain partners.

But what is the CMMC, how can it put a stop to this tremendous loss, and how will it apply to the many contractors that do business with the DoD?

Weaknesses in the government's supply chain

Historically, government networks have been protected by network segmentation and access control. However, new technologies enable information to be quickly and widely disseminated between the government and its partners.

While the DoD has been held to the highest security standards, weaknesses exist within smaller organizations, much further down the supply chain, that connect to Agency environments and share and maintain critical information with the US government. These contractors often do not have the necessary security maturity and infrastructure in place, and are a prime target for nation states and other threat actors.

To protect the government's sensitive, unclassified information against data exfiltration, new cyber risk standards were created and applied to contracts issued by the DoD, whose primary focus was to protect Controlled Unclassified Information (CUI), information not considered classified but which requires safeguarding or dissemination controls.

70% of U.S. Government data lives on contractor networks.

Every company within the DoD supply chain - not just the defensive industrial base, but the 300,000 contractors - are going to have to get certified to do work with the department of defense.

Katie Arrington CISO, Department of Defense, Office of the Assistant Secretary of Defense for Acquisition

Want to learn more about the CMMC and DFAR?

Download the rest of this eBook, or talk to one of NCC Group's cyber security compliance experts.