Introduction

The Department of Defense (DoD) has developed the Cybersecurity Maturity Model Certification (CMMC) to ensure the protection of sensitive defense information within the DoD supply chain. This initiative is essential for enhancing cybersecurity protocols across the U.S. Aerospace and Defense industry. This blog post helps outline three important aspects of CMMC. It will cover what CMMC is, help you understand how it might apply to your company, and provide insights on what the three levels of CMMC 2.0 are.

What is CMMC?

CMMC stands for the Cybersecurity Maturity Model Certification. CMMC is an effort led by the Department of Defense to strengthen cybersecurity across the US Aerospace and Defense industry.

The program aims to enforce cybersecurity requirements for companies working directly with the DoD and companies that are subcontracted to work many layers deep in the supply chain. CMMC also seeks to standardize cybersecurity requirements across the industry into a 3-tiered system based on the sensitivity of data held by a company. CMMC is made for normal Aerospace and Defense companies (i.e. contractors who don’t handle classified data).

As of 2024, CMMC is in its second iteration (CMMC 2.0). Released in November 2022 – CMMC 2.0 changed CMMC 1.0 mainly by reducing the number of cybersecurity levels from 5 to 3. Currently, CMMC is going through the DoD rule-making process and is expected to be phased into all DoD contracts starting in 2025. However, due to the magnitude of this requirement, DoD customers and prime contractors have started to scrutinize their vendors more closely. Specifically, by asking them to demonstrate compliance with their existing cybersecurity requirements in their current contract and by asking about their plans to get compliant with the upcoming CMMC requirement.

How does CMMC apply to my company?

CMMC impacts all companies in the Aerospace and Defense supply chain. The level of impact is dependent on the type of data your company holds and the corresponding level of cybersecurity requirements your company will need to meet. Without the appropriate CMMC certification – you will not be able to bid or renew existing contracts once the requirement has been incorporated into the contract.

What are the 3 levels of CMMC 2.0?

Level 1 focuses on protecting Federal Contract Information (FCI) and includes only practices that correspond to the basic safeguarding requirements in the FAR Clause (48 CFR 52.204-21). Federal Contract Information (FCI) is information “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” Some examples of FCI include contract performance reports, organizational or programmatic charts, and process documentation. If you fall under CMMC level 1, you need to complete a cybersecurity self assessment annually. ‍

Level 2 focuses on the protection of Controlled Unclassified Information (CUI) and adheres to the 110 security requirements outlined in NIST SP 800-171. Controlled Unclassified Data (CUI) is “government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and governmentwide policies.” Some examples of CUI include controlled technical information such as research and engineering data, engineering drawings, and technical reports. For CMMC level 2, you are most likely required to receive an assessment from a third-party assessor once every three years. This assessor will certify you are keeping this data safe. ‍

Level 3 also focuses on the protection of CUI, but prioritizes more important forms of CUI which is specifically decided within the DoD. Level 3 is based on a subset of NIST SP 800-172 requirements. For CMMC level 3, you will be required to receive an assessment by the DoD DIBCAC once every three years.

Conclusion

Overall, the Cybersecurity Maturity Model Certification (CMMC) serves as an important cybersecurity enforcement mechanism across the U.S. Aerospace and Defense industry. By understanding and preparing for the upcoming CMMC requirements, companies within the DoD supply chain can ensure they remain eligible for future contracts and are protecting sensitive unclassified information. As CMMC 2.0 simplifies the certification process into three distinct levels, businesses must evaluate their current cybersecurity practices and align them with the appropriate CMMC level to safeguard FCI and CUI effectively. Complying with these standards is not just about compliance; it's about protecting national security and strengthening trust within the defense supply chain.

To learn more about CMMC, download our FREE CMMC Compliance Guide or schedule a meeting with one of our cybersecurity experts!