Importance of Cybersecurity Maturity Model Certification (CMMC) 2.0

Cybersecurity is a top priority for the U.S. Department of Defense (DoD). The Defense Industrial Base (DIB) faces the risk of more frequent and complex cyberattacks. To protect American innovations and national security, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables the DoD.

The CMMC program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to systems that process controlled unclassified information (CUI) and federal contract information (FCI).

The CMMC 2.0 program has three key features:

• Tiered Model: CMMC requires that companies entrusted with protected defense information implement cybersecurity practices at progressively advanced levels depending on the type and sensitivity of the information.
• Assessment Requirement: CMMC assessments (both third-party assessments and self-assessments) allow the DoD to verify the sufficiency and adequacy of necessary cybersecurity practices.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle CUI and FCI will be required to achieve a particular CMMC level as a condition of contract award.

When will certification become mandatory?

• By March 2025, it is estimated that the CMMC 2.0 rule will take effect for all new DoD contracts.
• By September 2025, it is estimated that third party Certification Assessment requirements will be introduced at Level 2.
• By September 2026, it is estimated that third party certification requirements will be introduced as an option to extend the existing contracts. Level 2 Certification Assessments are expected to be required as a condition of contract awards for all contracts that involve CUI.
• By September 2027, it is estimated that CMMC 2.0 will be required for all DoD contracts.

Contractors preparing for CMMC should conduct a Gap Assessment now to allow time to examine and determine the appropriate solutions to close the gaps and implement the necessary requirements. Depending on the gaps found, it may take organizations many months to implement the necessary changes to meet the CMMC requirements.

TÜV SÜD’s experienced Information Security Management System (ISMS) teams possess the expertise to advise on CMMC.  Our organization can provide a CMMC Gap Assessment and analysis service and our partner Relic Law, a Cyber-AB Registered Provider Organization trained in CMMC, can help your organization become certified.

Visit the our CMMC webpage, CMMC FAQ and read the Cybersecurity Maturity Model Certification whitepaper to learn more.