The Cybersecurity Maturity Model Certification (CMMC) is an accreditation process developed by the Department of Defense (DoD) that measures the cybersecurity maturity of government contractors. Once implemented, all organizations that do business with the DoD will need to meet CMMC requirements to be awarded a DoD contract. There are five levels of certification based on the types and sensitivities of the data and information that contractors need to access, store and protect. CMMC organizes business processes, practices and capabilities into 18 domains, which in turn contain numerous specific security requirements. Click below for more detailed information on CMMC and how it will affect organization when doing business with the DoD.  
 

Purpose

CMMC is intended to ensure organizations are using appropriate levels of cybersecurity practices and processes to protect controlled unclassified information (CUI) on the DoD’s industry partner networks. The DOD is planning to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB), an ecosystem of approximately 300,000 companies of all sizes across multiple industries that sell products and services to the DoD.

Affected Parties

Although it has not been implemented yet, CMMC will require technology vendors, channel partners and systems integrators selling to the DoD to make investments in their cybersecurity capabilities if they want to obtain certification. What should you expect?

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment, CMMC assessment costs will depend upon several factors including the CMMC level, the complexity of the DIB company’s network and other market forces. The goal is for CMMC to be cost-effective and affordable for all companies.

Still, technology vendors, channel partners and systems integrators needing CMMC accreditation will have to plan for expenses: assessment costs, remediation costs and changes to business processes. Remediation costs will depend on the current strength of a company’s security posture. Organizations with strong security will have fewer issues to mitigate and lower mitigation costs. The size and complexity of the company is also a factor. An organization of 300 people faces a less expensive task than a company of 15,000. The sensitivity of the data under the company’s control is another key determinant: if a company handles classified data, they will need a higher level certification and can expect to spend more than an organization processing information at a lower sensitivity level.

Accreditors

Third-party organizations, or CMMC Third-party Assessment Organizations (C3PAOs), will measure a company’s security posture against these domains and provide a certification at one of the five levels. There are currently no C3PAOs authorized to provide CMMC accreditation. However, there has been a down-select to about 70 potential companies.

CMMC Resource Information

Access whitepapers, case studies and other educational resources related to CMMC below or listen to on-demand webinars to see how CMMC will impact your organization.

Padlock resting on an open palm. Text reads: CMMC Update. Upcoming Virtual event. Preparing our Partners for CMMC
Preparing Our Partners for CMMC — DLT is holding a CMMC panel discussion to help prepare your organization for the impending DoD requirement. As a DLT partner, we offer you the unique opportunity to join our webinar and gain key insights about CMMC from leaders at DLT, Coalfire, and the DoD, including Stacy Bostjanick, Director of CMMC Policy for the OUSD A&S.

Watch On-Demand Today
Padlock in a cloud. Text Reads: Plan and Prepare for DoD’s CMMC Compliance in a Cloud-based Environment
Plan and Prepare for DoD’s CMMC Compliance in a Cloud-based Environment — DLT and Coalfire have partnered to help examine the intricate certification levels and controls to the Department of Defense's CMMC compliance, with additional details of the impact in management of workloads in the cloud.

Watch On-Demand Today
Hand on a laptop with various padlocks swirling around. Text Reads: Automation and CMMC
Automation and CMMC — Meeting the network documentation, vulnerability analysis, and remediation requirements specified in the CMMC can be a daunting manual task. Learn how NetBrain automation can reduce the time and manpower requirements by upwards of 90%.

Watch On-Demand Today
Team of women and men staring intently at a series of monitors. Text reads: Does Your Organization Know the Security Posture of Your Federal Contractors?
Does Your Organization Know the Security Posture of Your Federal Contractors? — Jake Olcott, VP of Government Affairs Communications, BitSight, one of the leading security ratings service providers and Don Maclean, Chief Cybersecurity Technologist from DLT, discuss what to look for when selecting the third party risk management solution.

Watch On-Demand Today

CMMC Articles

Stay up-to-date with the latest developments in CMMC. It is constantly evolving, so staying informed of how it will impact your business with the DoD will better prepare your organization for success. Get the latest information below.

Distant view of helicopter on the tarmac. Text reads: The CMMC and continuous monitoring – is it a good idea?
In April of this year, the CMMC advisory board issued an interesting RFP that caught a few off guard and raised a lot of questions among the defense industrial base (DIB). That RFP involved the creation of a continuous monitoring portal. This RFP seemed rushed to some, and raised concern among others.

Read the Article
Outline of the globe against a backdrop of connected hexagons. Text reads: CMMC V1.0 – what is it and will it work?
The Cybersecurity Maturity Model Certification (CMMC) has a potential impact on small- and medium-sized government contractors. The Department of Defense (DoD) is taking incredible steps to ensure that the CMMC doesn’t keep small companies from working with and selling to the government.

Read the Article
Soldier in full gear with data loading on a screen. Text reads: CMMC for SMBs – What should smaller contractors expect?
We know that the adversary looks at our most vulnerable link, which is usually 6-7-8 levels down in the supply chain. This has been a common theme among government and military cybersecurity experts and professionals over the past few years.

Read the Article
Composite of hooded figures with overlay of binary numbers and stars to resemble the US flag. Text reads: What your organization needs to know about CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement from the U.S. Department of Defense (DoD). It mandates that DoD contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene.”

Read the Article
Focused image of Soldier's hands typing on a laptop. Text reads: General Dynamics – Ordnance and Tactical Systems CISO Talks Best Cyber Practices in Defense Industrial Base
The movement towards remote work and digital tools over the past few months has resulted in a massive change in the amount of data flowing over networks and has drastically increased the importance of advanced IT tools and capabilities across the DoD and the Defense Industrial Base (DIB).

Read the Article

 

 

CMMC Blogs

What are the “boots on the ground” saying about CMMC? Get vital information from DLT that will give visibility into the latest CMMC developments and see how technology providers, channel partners and systems integrators are preparing for accreditation.

Multiple series of numbers with the words Data Breach and Cyber Attack highlighted
Cybersecurity

CMMC 2.0 Is Here and Real. Time to Get Ready.

Cybersecurity Maturity Model Certification (CMMC) 2.0 is here. If your company is not prepared, the time to get ready is now, or your company may risk losing business with the Department of Defense (DoD). The CMMC program requires cyber protection standards for companies in the Defense Industrial Base (DIB) and aims to protect sensitive unclassified information that the DoD shares with contractors and subcontractors.
Don Maclean
Aerial view of a giant locked padlock
Cybersecurity

Update from DoD Town Hall: Got CUI? Expect a Third-Party Assessment

In a Department of Defense (DoD) Town Hall held on February 10, led by David McKeown, DoD’s Senior Information Security Officer and Deputy CISO, we heard some news about CMMC. Defense contractors holding Controlled Unclassified Information (CUI) will need a third-party assessment to obtain certification.
Don Maclean
Cybersecurity

How You Can Prepare for CMMC: Key Insights from Industry Leaders

If your business sells products or provides services to the Department of Defense (DoD), then you should know about the Cybersecurity Maturity Model Certification (CMMC) program. 
Don Maclean

Analyzing How CMMC Changes the Rules

DoD has recently incorporated CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS Case 2019–D041, available here https://bit.ly/30LXAeE).  The rule change is currently open for public comment, and I urge all interested parties to read it and provide input.  
Don Maclean
Cloud

Key Takeaways from the AWS Public Sector Summit Online

In previous years you would have ventured to our nation’s Capital to take part in the AWS Public Sector Summit. This year’s event – as you could imagine – was a virtual experience. Although I and my fellow DLT colleagues wished we could have been there in person, we really enjoyed our time at this year’s Summit. Much like what has been the theme of 2020, AWS had to adapt and innovate to these unprecedented times. They certainly rose to the occasion and put together a unique and valuable experience for their attendees.
Zev Stern-Coder