On November 4, 2021, to safeguard sensitive national security information, the Department of Defense (DoD) launched Cybersecurity Maturity Model Certification (CMMC) 2.0, a comprehensive framework to protect the defense industrial base (DIB) from increasingly frequent and complex cyberattacks. With its streamlined requirements, CMMC 2.0 was created to:
• Cut red tape for small and medium sized businesses
• Set priorities for protecting DoD information
• Reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
The Department posted the CMMC 2.0 model for Levels 1 and 2 in December with their associated Assessment Guides and scoping guidance. Level 3 information will be posted as it becomes available (currently still under development).

What is CMMC Intended to Protect?

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

What is FCI?

In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.

What is CUI?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

Who Must Comply?

The CMMC program includes cyber protection standards for companies in the defense industrial base. By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.

By When?

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue formal rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.

What Does this Framework Look Like?

How Can Stern Security Help?

Stern Security’s Security & Compliance Architect has become a Registered Practitioner (RP) through the CMMC Accreditation Body (CMMC-AB) and we’ve added both CMMC 2.0 Level 1 and Level 2 to Velocity. We’ve made it easy to self-assess for the CMMC 2.0, allowing our customers to prepare for the final versions of this framework. Velocity provides easy-to-understand examples combined with detailed explanations for each control to help our customers simplify their compliance efforts.