Smithers CMMC and Cybersecurity Resource Library
Have questions? Look for answers in our CMMC and Cybersecurity Resource Librayr!
Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. Finally, after seven years of rulemaking, CMMC went into effect on December 16, 2024. As an authorized C3PAO, Smithers has begun conducting assessments for companies voluntarily seeking certification now. Once 48 CFR is published, contracts will begin to mandate CMMC compliance and all C3PAO companies will be inundated with assessment requests.
In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated, which is really where the history of CMMC begins. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes
Also in 2019, the CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.
In November 2021, the DoD paused CMMC 1.0 based on public comments. It began the process of evaluating and and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.
Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.
If you are not sure you needed to read this far, check out our post on who needs CMMC. It offers a guide so you can tell if you need to comply or not. If you have any questions let us know!
What does CMMC Stand for?
CMMC stands for Cybersecurity Maturity Model Certification.
What is 32CFR and 48CFR?
32CFR and 48CFR are the two parts of the CMMC rule. Learn more about 32CFR.
What is SPRS? What is a SPRS score?
SPRS stands for Supplier Performance Risk System. It is where contractors have been entering their self-assessment scores against NIST SP 800-171 since 2018. Learn more about SPRS.