The History of CMMC
The Cybersecurity Maturity Model Certification (CMMC) has become a relevant topic for many organizations within the Defense Industrial Base (DIB). Many businesses are wondering whether they must be compliant and how they begin that process. Due to the nature of cyber threats the CMMC model has evolved since its inception which may make it difficult to keep up with. This blog seeks to provide a short history of what the CMMC is and how it has changed over the years.
The history of the CMMC goes all the way back to 2010 with Executive Order 13556. The CMMC model seeks to provide a standard for the protection, storage, and transmission of controlled unclassified information"(CUI) an it was this executive order that defined what constitutes CUI and how it is defined.
It wasn't until 2019 that the Department of Defense actually announced the development of CMMC in order to move away from the current "self attestation" model of security. While the CMMC model today does allow for some self attestation it is much more complex and scrutinized by third parties. Since 2017, defense contractors had to self-assess against the NIST 800-171 standard. The CMMC was founded on these standards and was created as a way to better enforce NIST 800-171 requirements.
In November of 2020 CMMC 1.0 was implemented as an interim rule in all DoD contracts requiring to upload a SPRS score in compliance with NIST 800-171 and various DFARS requirements.
This first iteration of CMMC contained 5 maturity levels in ascending order.
- Level 1 - Basic Cyber hygiene
- Level 2 - Intermediate Cyber Hygiene
- Level 3 - Good Cyber Hygiene
- Level 4 - Proactive Cyber Hygiene
- Level 5 - Advanced and Progressive Cyber Hygiene
These 5 levels addressed the 110 controls of NIST 800-171 that are divided into 14 control families. All contractors were expected to comply with at least the first level while other contractors higher up were expected to comply with the more advanced levels. This model worked for a while, but soon it was replaced with CMMC 2.0
CMMC 2.0 was announced in November of 2021 and attempted to streamline the expectations of the previous models by downsizing the transitionary levels of 2 and 4.
Instead of 5 maturity levels CMMC 2.0 has only 3.
- Level 1 - Foundational
- Level 2 - Advanced
- Level 3 - Expert
Where does CMMC currently stand now? As of October 15th, CMMC has been published into the federal register as a final rule. This means that CMMC is final, and audits will begin in the upcoming months. If your organization has been waiting to see which way the wind blows regarding CMMC, the time to act is now. CorpInfoTech offers CMMC compliance services that help your organization achieve and maintain regulatory requirements. By partnering with us your organization will inherit 200+ out of the 320 controls required by CMMC, will be given greater flexibility over how CUI is stored and protected, and be ready for when audit time comes!
CorpInfoTech helps you make sure that your entire network meets the requirements of NIST 800-171 and thus is also compliant to the CMMC model. Because the cyber landscape is constantly evolving it is important to get started now!
.png?width=900&height=400&name=CMMC%20Timeline%20(3).png)
