.jpg?ext=.jpg)
Why does CMMC exist?
If you are new to conversations about CMMC or how to become CMMC-certified, you might be wondering how CMMC came to exist in the first place. The story is longer than you might guess at first.
Protection of CUI
The core of CMMC and how it came into existence is Controlled Unclassified Information, or CUI. Many years previous to CMMC going into effect in December 2024, the Department of Defense noticed that theft of intellectual property and sensitive information was increasing as a chronic problem. It quickly became clear that this epidemic of cyber incidents could lead to negative impacts on national security.
In response to these concerns, the Department of Defense implemented a self-assessment program that went into effect on January 1, 2018. Department of Defense contractors had to comply with the NIST SP 800-171 controls, self-assess against those controls, and then enter the score into a platform called SPRS (Supplier Risk Performance System). Naturally, it was assumed that all scores entered into SPRs would be accurate, even if the score was not as high as the company would have hoped.
Unfortunately, that is not what happened.
Third-Party Assessments
After a year, it became evident that some of the scores in SPRS were inflated. Somehow there needed to be a way to validate and verify the scores in SPRS so that the federal government could rest assured CUI was being protected. In 1919, the first round of CMMC was introduced. At the time, CMMC was divided into five security levels. The significant addition was that many companies who process, store, or transmit CUI would have to undergo a third-party assessment against the NIST SP 800-171 standard.
The program paused beginning in 2021, and over the next three years the CMMC program would be reengineered. After the Department of Defense put together the new program, which measures compliance against NIST SP 800-171r2 specifically, the rulemaking process began. The new "CMMC 2.0" program has three security levels, and those companies at level one do not necessarily need to undergo a third-party assessment. The higher the CMMC level, the more sensitive the data the company handles.
What questions do you have?
This has been a condensed history. It does not include all of the public comments or the various suspenseful times transpired during the rulemaking process. Hopefully, however, you have a better idea of how today's CMMC rule has evolved.
The real question for you is how CMMC will impact your company in the coming years. Are you currently assessment-ready? Are you not sure where to start? Contact us today via the RFQ form, and let's get in touch!