COMMUNITY

Connect, discuss and find other manufacturers.

NEWS + EVENTS

Engage in current events and manufacturing news.

SOLUTIONS + RESOURCES

Find the tools you need to succeed.

UNDERSTANDING THE CMMC

What is the CMMC?

CMMC stands for Cybersecurity Maturity Model Certification and is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD. Due to unacceptable risks to Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) stored on contractor systems, the DoD has now introduced CMMC to ensure that appropriate levels of cybersecurity protections and processes are in place. It specifies a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.

 

How is the CMMC different from NIST SP 800-171?

What sets CMMC apart from what is currently set-in place is a strict assessment process that will establish compliance as a condition of doing business with the Defense Department. CMMC will replace the current ‘self-attestation’ model with third-party certification, and the resulting audit and certification process will establish compliance as a condition of doing business with the Defense Department.

“The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification. This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2021. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before being awarded a contract or subcontracting to a prime.”
Katie Arrington OUSD (A&S), Professional Services Council “What Contractors Need to Know About DoD’s CMMC” Webinar, July 17, 2019

Based on version 1.02 of the CMMC, there are 5 levels, and each has its own specific set of controls that will be in scope for a CMMC audit. The CMMC is a foundation, and each level builds off the one prior.

  • CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.
  • CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.
  • CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.
  • CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks

OUR SERVICES

Ready to share your perspective? JOIN THE FORUM CONVERSATION or choose from the topics below

Safety, Health + Hygiene

Workforce Policy + Legal

Cashflow + Financial

Lost Business + Declining Sales

Business Continuity + Communication Plan

Leadership Actions and Best Practices

Ready to take on CMMC? Choose from some of our compliance capabilities below to learn more about how we can help you.

Our involvement within the CMMC-AB Community

Our staff has received formal training from the CMMC Accreditation Body and can help your organization become compliant.

Registered Provider Organization (RPO) & Registered Practitioner (RP)

As an RPO, we provide pre-assessment consulting services for contractors to ensure that they are ready for the CMMC. Our Registered Practitioner delivers guidance from start to finish for companies in the US Defense Industrial Base (DIB) to have a successful assessment and meet all requirements for the level they are targeting.

CMMC-AB Provisional Assessor (PA) & CMMC Third Party Assessor (C3PAO)

Our Provisional Assessor was selected from a pool of over 500 qualified candidates and is one of the first to obtain the CMMC credential from the CMMC Accreditation Body. Reef Systems will be among the first to be able to conduct CMMC Level 1-3 Assessments on behalf of the CMMC-AB.

Buy now