On January 31, 2020, the US Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Cybersecurity Maturity Model Certification (CMMC) Version 1.0. DoD developed the CMMC to provide a unified cybersecurity standard for defense contractors and suppliers across all of the Defense Industrial Base (DIB), which, according to DoD, “consists of over 300,000 companies.”1 The development of the CMMC has been driven by concerns about the widespread exfiltration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the sprawling DIB, particularly at the lower and middle levels of the supply chain.2 CMMC primarily builds upon DFARS 252.204-7012, which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours. It also incorporates a number of other standards, including FAR 52.204-21 (the basic standard for protecting FCI), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, NIST SP 800-171B,3 ST SP 800-53, ISO 27001, ISO 27032, AIA NAS 993, CIS Critical Security Controls 7.1, and CERT Resilience Management Model®.
