What is CMMC?
On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC), as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. As an interim rule effective November 30, 2020; DoD contractors must have a current (not older than three years) National Institute of Standards and Technology SP 800-171 DoD Assessment on record. This interim rule helps to close the gap between DFARS and CMMC requirements.
CMMC will require a Certified 3rd Party Assessment Organization (C3PAO) to independently audit your organization and certify your compliance at a Maturity level commensurate with the data you handle. Processes to establish C3PAOs and specific audit criteria are still being developed; however, once defined, the demand for audits will be high.
All DoD contractors and subcontractors are required to attain at least Maturity Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve Maturity Level 3.