What is CMMC (Cybersecurity Maturity Model Certification)?
The Cybersecurity Maturity Model Certification (CMMC) is a new approach the Department of Defense is taking to wrangle the various existing compliance frameworks and unify them into a single more easily manageable and scalable framework to apply to systems within the Defense Industrial Base. It is not an attempt to re-invent the wheel, but an effort to add some structure and progression to the existing frameworks (Predominantly NIST SP 800-171).
One of the main challenges of general compliance frameworks is that for many, there is no real certification process that is accessible to average smaller organizations. You can hire 3rd parties who claim to have a background in the frameworks to help guide you, but often their estimate of what does/does not meet a compliance expectation may vary from the actual written rules (and the auditors who enforce them in the event of a breach) - and then you still need to reconcile that with the fact that many compliance frameworks have gaps that should be filled via established best practice. The lack of clear guidance for organizations often meant that achieving these compliances seemed like insurmountable challenges for smaller businesses (and even some larger ones) and were definitely costly.
CMMC addresses this by establishing not only a clear tier system based on the type of information you need to deal with, rather than a one-size-fits-all approach.
Each of the levels represents an organizations security posture "maturity" and align like this:
Level 1: Safeguard Federal Contract Information (FCI)
Level 2: Transition Step to progress to the ability to protect Controlled Unclassified Information
Level 3: Protect Controlled Unclassified Information (CUI)
Level 4-5: Reduce risks of Advanced Persistent Threats (APTs)
In addition to establishing clear tiers and what they represent, the CMMC Accreditation Body was also established to ensure there is a credentialing process to certify 3rd parties to help those who want to become compliant at the different levels. 3rd parties must meet specific criteria to provide different levels of feedback and compliance audits to those seeking certification. Partners can range from "Registered" practitioners and organizations (Those who have some training and association with the CMMC-AB, but are NOT certified assessors) or Fully Certified Professionals and Assessors (Those who can audit and say definitively if you have met the standard). The second group is a differentiator for many frameworks available.
Overall, CMMC is still new and evolving, but I think the approach is moving in the right direction. Compliance will often represent the minimum requirements businesses should implement, not the best practice, but even that has been unobtainable for many businesses today. Hopefully, with a more clear progression and clear guidance on who should do which parts, it will encourage businesses to implement the standards AND provide them an easy way to locate a reputable IT partner who can help them along the way.
For more information on CMMC, check out the overall Model PDF