The US Department of Defense (DoD) is implementing a new Cybersecurity Maturity Model Certification (CMMC) requirement for all private-sector businesses that work with the DoD.

This new requirement will directly affect the roughly 300,000 business that are part of the DoD supply chain. The ripple effect of this new standard is likely to be even larger, potentially replacing almost all other broadly recognized cyber security standards.

The CMMC is a set of security controls being developed by the DoD in coordination with industry and academia, building on previous standards including NIST 800-171, 800-53, CSF, ISO 27002, CIS v7, Secure Controls Framework and others.

The CMMC sets itself apart in several ways:
  • It’s required for all organizations doing business with the DoD. This is a sweeping change. It doesn’t matter if you handle classified information or Controlled Unclassified Information (CUI). If you work with the DoD, it applies to you.
  • There are five levels of compliance. All businesses need some level of cyber protection; they just don’t all need the same level of protection. Businesses that provide landscaping services, for instance, can operate at a lower level of compliance than a business that designs weapons systems.
  • CMMC compliance at the appropriate level will be a requirement for bidding. DoD contracts will stipulate the maturity ranking required for any organization that wants the work. Your CMMC level certification will be your “license to hunt.” If you’re not certified at the right level you will be eliminated from consideration.
  • Organizations must be certified by a third-party auditor. Up until now, only the ISO 27002 and HITRUST frameworks offered the option to be certified by a third party. Organizations could say they were compliant, satisfying most who had interest in security but glossing over the fact that they were not actually certified. CMMC will require certification by a third party.
The timeline for the CMMC is quite aggressive, so organizations should start working on it now:
  • Version 1.0 of the standard was published January 31, 2020.
  • New DoD contracts will require compliance starting as soon as October 2020, which means that failure to gain certification by October 2020 will result in an inability to bid on DoD work.
  • Existing contracts will have CMMC requirements added when renewed or otherwise modified.
  • Organizations should start gauging their state of compliance now and start working towards compliance this year.
Why would this standard replace all others?

Organizations choose to comply with an information security standard for only one reason: it makes good business sense. Sometimes there are external drivers, such as a demand from a key client, and sometimes the driver is internal, such as a clearly articulated enterprise risk management program.

Some of the factors that go into picking a standard to adopt include:

  • The standard should be reputable. Standards created by national (like NIST) and international (like ISO) organizations have strong reputations and are well-recognized. Virtually all reputable standards address the exact same topics in their own unique way. There are entire businesses that do the mapping of one standard to another so a company that worked on becoming ISO 27001 compliant can explain how it is also NIST 800-53 compliant.
  • The standard should be relevant to the business. For instance, HITRUST is relevant to organizations handling medical information, and the soon-to-be supplanted NIST 800-171 is intended for organizations doing business with the US DoD.
  • Achieving compliance must be cost-effective. The organization must be able to achieve compliance without wrecking the business.
  • Maintaining compliance must be cost-effective. Once an organization goes through the effort of becoming compliant, the cost and effort of staying compliant must be manageable. This is another reason that organizations go through the challenging exercise of documenting how complying with one framework is equivalent to complying with another.

The CMMC ticks all these boxes for about 300,000 companies. Since the CMMC is based off the best of all the current reputable standards, there is no separate need to show how it maps back to them; for most of these companies, there is no compelling business reason to comply with any other standard. Because companies must be certified by an impartial, external third party, the CMMC also provides a much stronger level of assurance to non-DoD business partners than would unsubstantiated claims of being compliant with any other standard. The cost of gaining and retaining compliance is designed to be minimal to ensure that the supply chain is secured rather than disrupted.

As organizations earn certification, their CMMC level will drive out other claims about cyber security. The CMMC level will also simplify the interactions between businesses regarding how information is protected. Currently, mature organizations include some level of cyber due diligence in their contracting processes. With this new standard, instead of subjecting business partners to long questionnaires about their internal cyber security, even non-DoD organizations will only have to ask each other one simple question: What is your CMMC level?

This new standard, driven by the US DoD, is likely to become the de facto cyber security framework for all businesses—regardless of whether they work with the DoD.


Control Risks can help you and your organization prepare for the CMMC now.

Contact us at: [email protected].

Get in touch

Can our experts help you?