Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.
The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule. Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.
However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.
According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.
Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification. The levels will range from basic cyber hygiene to “State-of-the-Art.” DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.
This is a fundamental change to how defense contracts are awarded today.
Read more at: JD Supra