The DoD adopted the Capability Maturity Model Certification program (CMMC) to require independent accreditation for Defense Industrial Base (DIB) Suppliers in early 2020. It is meant to protect Controlled Unclassified Data (CUI) — data that is more sensitive than Federal Contract Information (FCI) but less sensitive than the Secret and Top-Secret data classification. This is accomplished by requiring independent certification of DIB Supplier’s cybersecurity capabilities and practices used to protect it. In essence, CMMC seeks to ensure the appropriate handling of CUI data so CUI does not leak and unauthorized individuals are not exposed to CUI that might lend clues to U.S. Military strategies and activities.
The CMMC program requires that 200,000+ vendor/suppliers be certified against 110 requirements embodied in NIST 800-171 rev 2 Protecting Controlled Unclassified Information in Nonfederal  Systems and Organizations. All DIB Suppliers will be subject to Level 1 Maturity concerned with protecting Federal Contract Information whether they are a Prime or subcontractor working a DoD contract. But a subset of Suppliers will also be subject to all 110 Requirements representing Level 2 maturity focused on protecting CUI that could lend clues to DoD strategies and activities.
As this article is being posted in May of 2024, we are anticipating this rule to become effective in March of 2025. Many small- and medium-sized companies who supplement their commercial work with government work are struggling to understand how this rule affects them. The stakes are not small. If you fail to hit the mark, say bye-bye to government work.
Why a CMMC assessment is different from — and more rigorous than — your average commercial certification
Most companies are familiar with sponsoring periodic independent audits either to raise customer confidence in their cyber integrity or to meet external requirements. Some, like banks and health care companies, need to be certified against industry specific regulations to maintain their license to do business. Other companies pursue cyber certification, using it to as a business differentiator to attract customers. But a CMMC assessment is different — significantly different. The level of rigor approaches that of managing data in a classified environment. Below is a comparison that helps underscore those differences.
Table showing Commercial Audit vs. CMMC Assessment comparison.
The value of pursuing and achieving CMMC readiness
While these differences may appear daunting, CMMC readiness is not unachievable. Readiness activities require deep diving into data management in a way few companies rarely do unless they are subject to European GDPR privacy law or the California Consumer Privacy Act (CCPA). But there is an undeniable value to pursuing it. Even if you determine after analysis that the lift is too heavy, you cannot help but to reveal your cyber capabilities and deficiencies, which will reveal areas if opportunity for cyber improvement — and potentially for operational simplification, and optimization. You will learn, down to your bones, what your security posture is and how you can make it work for you.
And one of those ways is to distinguish yourself from your DIB peers. There is a suspicion that the DoD will use the CMMC rule to winnow down the pool of suppliers to a more manageable number. Contract preference may prove highly advantageous to early adopters, so seeking a Readiness Assessment before the rule drops is strongly encouraged.