The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.[1]
The CMMC framework and model was developed by Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) of the United States Department of Defense through existing contracts with Carnegie Mellon University, The Johns Hopkins University Applied Physics Laboratory, and Futures, Inc.[1] The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office.[2]
CMMC, which often requires third party assessment if a contractor handles Controlled Unclassified Information, will impact the $768bn Defense industry – 3.2% of the Gross Domestic Product of the United States of America. [3]
The purpose of the CMMC is to verify that the information systems used by the contractors of the United States Department of Defense to process, transmit or store sensitive data are compliant with the mandatory information security requirements.[4] The goal is to ensure appropriate protection of controlled unclassified information (CUI)[5] and federal contract information (FCI) that is stored and processed by partner or vendor.