CMMC Guidance

What is the Cybersecurity Maturity Model (CMMC)?

The DoD (Department of Defense) recognized that the cybersecurity programs, practices, and processes implemented by organizations participating in the DIB (Defense Industrial Base) could largely use improvement. Organizations will be required to achieve certification to varying degrees within this new model which includes many of the practices within NIST 800-171.

Previously, organizations were often able to self-report capabilities built on the NIST 800-171 framework, FAR Clause 52.204-21, or DFARS Clause 252.204- 7012. By 2026, all DoD suppliers whose environments contain FCI or CUI will need to achieve a certain level of certification within the CMMC. There are five maturity levels, and each level specifies which practices and processes that are to be implemented. Assessments will be conducted by Certified Third-Party Assessor Organizations (C3PAO), and certification will be awarded by the CMMC Accreditation Body. (CMMC-AB).

Businesses should begin preparing now, as RFPs, RFQs, and RFIs will soon begin requiring varying levels of certification.

Controlled Unclassified Information (CUI)

We cannot talk about the CMMC without discussing CUI. Ultimately, the CMMC has been developed to ensure that organizations properly safeguard CUI. What is CUI? From the CUI Program Blog: Controlled Unclassified Information (CUI), is sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect.

Consider an example: a manufacturer makes a part or assembly that ultimately ends up in a Defense related application. The blueprints or drawings used to machine the part were likely marked as CUI. Should these documents exist in physical form at the manufacturer, certain practices must be in place to safeguard them (handling, storage, destruction, etc.). When this information exists digitally on the manufacturer’s computer network, specific controls must be put in place to safeguard that information. The CMMC defines these process and practice requirements.

The following links provide information on the CUI Program, training, and others:

National Archives CUI Program Home

CUI Program Blog

CUI Training

How can Bound Planet help?

The CMMC ecosystem is still in development, however the model and requirements have been published via the Office of the Under Secretary of Defense for Acquisition and Sustainment. Within these publications, organizations can begin to understand and prepare for the requirements. Bound Planet has begun developing engagements specifically around helping organizations achieve a desired CMMC maturity level. We offer the following:

  • Education on CMMC requirements
  • Pre-assessment readiness evaluations and guidance
  • Advisory specific to CMMC initiatives
  • Consulting and project management related to implementing Practices or Processes
  • Policy documentation and review
  • Service offerings to meet practice requirements

Whether you don’t know where to start, or you simply need a specific solution to satisfy a practice requirement, Contact us today to find out how we can help your organization prepare.