According to Statista, the United States government is expected to spend about 18.78 billion USD in 2021 on cybersecurity products and services. That amounts to an increase of nearly $2 billion since 2019, when $8.5 billion was spent on the US Department of Defense (DoD) alone, nearly equal to the cybersecurity spend for all civilian government agencies combined that year.

This massive annual expenditure is for good reason, however. The United States government, and the DoD in particular, are leading targets of cyberattacks, primarily from hackers in countries like Russia, China, North Korea, and Iran.

To ensure its systems are protected from foreign and domestic cybersecurity threats, the DoD has established a set of unified standards which IT security contractors must meet. These standards are known as the Cybersecurity Capability Maturity Model (CMMC) certification.

What is the CMMC?

The primary goal of CMMC is to safeguard Controlled Unclassified Information (CUI) across the DoD supply chain (some 00,000 companies) and deliver enhanced cybersecurity for the Defense Industrial Base (DIB). According to DoD, CUI is any data or information created or possessed by the government or another institution on behalf of the government.

CMMC certification requirements were first published in January 2020. Some IT RFIs and RFPs started requiring CMMC compliance in the summer of that year. By 2026, all new DoD contracts will require appropriate certification. The CMMC sets new standards for existing DoD contractors, replacing the self-attestation method and shifting to independent third-party certification.

There are five CMMC Maturity Levels which reflect the maturity and reliability of an organization’s cybersecurity infrastructure to safeguard sensitive government information.

There are 17 cybersecurity expertise domains within the CMMC ranging from access control and incident response to security assessments, audits and system and communication protection. Detail on all seventeen of these domains, and the five maturity levels listed above can be found on the website for the Office of the Under Secretary of Defense.  

Who Does CMMC Apply To?

In 2021, the CMMC only applies to a set of large contractors who must meet the model by year end, and their subcontractors doing business with the DoD.

By 2026, the CMMC will apply to any DoD contractor or subcontractor that works with Controlled Unclassified Information (CUI.) According to the DoD, CUI is any data or information created or possessed by the government or another institution on behalf of the government.

Even though it is not classified, Permission from the DoD information owner is required. This information ranges from data about national defense and NATO to law enforcement, finance and nuclear interests.  

An MSSP like ArmorPoint can leverage years of DoD experience, expert-level certification, and an integral understanding of policies to help companies achieve certain levels of CMMC compliance. Our service provides pre-made templates, and continuous monitoring tools, all while providing support to your company through every phase of the process.

Who Oversees CMMC Compliance?

Certified CMMC Professionals (CCP), Licensed Training Providers (LTP) and Assessors (CCA) are trained and tested by a Maryland non-profit corporation called the CMMC Accreditation Body.

Why Use A Third-Party to Help Maintain CMMC Compliance?

A third-party CMMC assessor ensures contractors and subcontractors receive a fair and objective review of their practices and processes. They are certified against maturity levels to qualify certified professional applicants for CMMC accreditation.

Why ArmorPoint?

Organizations can store, organize, and quickly extract network data and information to demonstrate their company’s compliance on demand – making it faster and easier to track and organize critical data points. These optimized compliance management and reporting processes allow companies to maintain compliance and audit-readiness at all times, It will also mitigate costly future violations. ArmorPoint offers subscribers an out of the box reporting library with templates contractors can use to demonstrate their compliance with CMMC standards.

If you're business is looking to start the journey towards CMMC compliance and needs help getting started, check out our CMMC Compliance Checklist or contact us today.