CMMC is being driven forward by the US DoD as the standard for Cyber Security oversight and assurance across it’s Defence Industry Base (DIB). With between 300,000 and 350,000 companies in the supply chain, ranging from SMEs up to large corporates will be impacted by the programme. 5 levels of maturity certification have been defined based upon a companies holding of FCI or CUI data. With companies processing FCI data will have to comply with up to 72 cybersecurity practices. Those processing CUI will be assessed as a level 3 and above, required to comply with up to 171 cybersecurity practices as defined by NIST 800 171 r2.
The programme will ultimately create the standard for cyber security compliance against NIST across the DIB. Whilst CMMC defines the references for good cyber security controls the challenge for companies big and small will be how to comply and maintain compliance. And challenge for those delivering oversight will be how to assess and accredit those companies.
Article from : Security Boulevard 05.2020