Cybersecurity Maturity Model Certification

LEARN MORE

Cybersecurity Maturity Model Certification (CMMC) – COMING SOON!

CMMC 1.0 was initiated by the U.S. Department of Defense (DoD) to protect the DoD Controlled Unclassified Information (CUI) that exists throughout the Defense Industrial Base (DIB) from our adversaries who would like to steal or sabotage the data. 

 

The DoD initiated an internal review of the initial CMMC program leading to a refinement of the policy and program by cybersecurity leaders. As a result, The CMMC Standard was revised to 2.0 in November 2021. There are now 3 possible levels certification and the required level per vendor will be written in contracts by DoD.  These levels are determined based on data risk and the security controls are assigned based on this risk. Below are the level controls and the general applicability for reference:  

 

• CMMC Level 1 (ML1) Foundation: 17 practices. Could be applicable to a low-risk office supply vendor.  There is an option for self -determination by supplier. CMMC recommends suppliers still considering seeking  certification by an accredited C3PAO. 

• CMMC Level 2 (ML2) Advanced: 110 controls, including NIST SP 800-171. Applies to vendors with DoD prints and specifications – often flown down requirements to operations like a machine shop or other component and product manufacturers.  Suppliers required to achieve triennial certification by an accredited C3PAO. 

• CMMC Level 3 (ML3) Expert: 110 controls. This is applicable to a high-risk primary defense contractor such as Boeing, Lockheed Martin or Raytheon.  This level will be certified by US Government – DoD only. 

 

DoD suppliers must implement the relevant maturity level of the CMMC Standard as specified by DoD in their contracts once the program is released. 

CMMC Status

CMMC 2.0 Rule Making is now in Final status and Title 32 has been published. Title 48 DFARS, which is the ability to write CMMC requirement into DoD contracts, is expected to be approved early to mid-2025. Congress will give the final approval before the open market can begin. 

• CMMC is training and approving auditors 

• CMMC is taking applications from C3PAOs (like PRI Certification) 

• CMMC is approving trainers, training organizations, Registered Provider Organization (RPO), and Registered Practitioners (RP) to support suppliers with implementation  

For more information, please visit the CMMC website. 

PRICertification will be seeking CMMC accreditation as a C3PAO in 2025.