CMMC 2.0 Introduction

The theft of confidential information and intellectual property from all industries due to cyber attacks is a major threat to the economy and national security. In 2016, it was estimated that cybercrime cost the US economy anywhere from $57 billion to $109 billion according to the Council of Economic Advisors. Additionally, the Center for Strategic and International Studies estimated the worldwide cost of cybercrime was as much as $600 billion in 2017.

The Defense Industrial Base (DIB) sector and the Department of Defense (DoD) supply chain have been and continue to be targeted by malicious cyber actors. The DIB sector includes over 300,000 companies involved in supporting the military and in the development, production, and operation of DoD systems and services. The loss of information from the DoD supply chain puts the US's technical advancements and security at risk. To enhance the security of the DIB sector, the DoD is working with companies to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information generated or provided by the government under contract, while CUI is information requiring protection and control according to government policies and regulations.

To achieve this goal, the Office of the Under Secretary of Defense for Acquisition and Sustainment has created the Cybersecurity Maturity Model Certification framework with the involvement of the DoD, research centers, and the DIB sector.

The CMMC framework includes security requirements from NIST SP 800-171 Rev 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) and a portion of the requirements from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information). This model arranges these practices into domains that align with the NIST SP 800-171 Rev 2 families. The CMMC framework includes three levels: Level 1, Level 2, and Level 3, as outlined in the following sections.