CMMC is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB). The current requirements are for a self-assessment based on NIST 800-171. The CMMC requirements demand an evaluation by an outside examiner and will provide accreditation at one of five available levels. The standards remain in the final stages of development and are summarized below. Check back here for updates as the new system evolves.
Maturity Model Implementation
While the standards have not yet been officially set, the draft version is available, and the final version will likely follow the NIST 800-171. Level 1 is based on the oldest standard from FARS. The current standard, NIST 800-171a covers organizations through Level 3. RFP’s that require increased maturity will add additional controls from NIST 800-171b.
Real-time, "holistic" scoring of a contractor’s cybersecurity compliance. In addition to the ongoing CMMC certification process, DoD contractors will also receive real-time, remote scoring of their cybersecurity measures during contract performance, similar to a person’s credit rating. A CMMC certification "gets the contractor in the door", but DoD is also concerned with a contractor’s ability to maintain CMMC security standards during contract performance. DoD views real-time monitoring as a tool to assist certified contractors in fixing system vulnerabilities.
Official DoD FAQBrowse FAQ
"Why DoD’s decision to make cybersecurity an 'allowable cost' matters"Includes a great podcast
CMMC listening events schedulecalendar_todayView Schedule
"The cost to comply with DoD’s new cybersecurity requirements to be reimbursable on cost contracts"Read Article
FutureFeed is Future-Proof
With the ability to evolve baked in from the ground up, FutureFeed is repositioned for CMMC - whatever it may be, and whenever the final standard is ready.