Any business, institution, or entity that receives, manages, or stores sensitive data should take data protection and security seriously. One sector currently taking data protection to the next level is the Department of Defense (DoD).

    The National Defense Industrial Association (NDIA) held several webinars to provide the latest updates concerning the department’s current Cybersecurity Maturity Model Certification (CMMC).

    Leading figures of NDIA Wes Hallman, Nick Jones, and Corbin Evans answered some frequently asked questions concerning the CMMC.


    What Does CMMC Stand For?

    CMMC stands for Cybersecurity Maturity Model Certification and is composed of five different maturity levels. These range from the basic cybersecurity protocols to more advanced ones. The basic protocols are for contractors with lower controlled unclassified information levels, while the advanced protocols are for contractors that work with more sensitive information. There are CMMC consultants available to help determine what level of maturity a business needs. 

    What DoD Requirements Do Contractors Need To Meet?

    The DoD is preparing to move all current contractors to a new CMMC framework to enhance the department’s cybersecurity practices and protocols. That means, for contractors to qualify, they need to meet new and improved CMMC compliance standards.

    The creation of the CMMC is explicitly intended to ensure that government contractors put the proper data security measures to reduce or eliminate cybersecurity issues. 

    How Will The CMMC Compliance Standards Be Applied To Foreign Contractors?

    The CMMC will also apply to foreign contractors that want to do direct business with the DoD or be part of its supply chain. An accreditation body is in place to work with Third-Party Assessor Organizations outside the US to ensure that companies that meet the required standards receive certifications. 

    How Can A Business Receive CMMC Certification?

    For an organization to become CMMC certified, it’ll need to work with a third-party commercial certification organization that is both independent and accredited for that purpose. This organization will receive your request and conduct the required assessment to ensure that your business meets the required level of certification, depending on your company’s contract. Your business will need to demonstrate that it meets the required cybersecurity maturity to the organization’s satisfaction conducting the assessment.

    Can Contractors Self-Certify Their Organizations?

    Previous DFARS regulations made it possible for a contractor doing business with the government to conduct an assessment on its own and self-certify. However, the current changes the new CMMC brings mean that every contractor still interested in doing business with the government must receive certification from an accredited third-party commercial certification organization.

    What Does Controlled Unclassified Information Mean?

    Controlled unclassified information (CUI) stands for information created and possessed by the government. It also includes information that an entity has or makes on behalf of the government. Approved third-party contractors have received the necessary approval to handle this type of information, putting the essential safeguarding and information dissemination controls in place to ensure data security.