No, CMMC (Cybersecurity Maturity Model Certification) does not allow for self-attestation of compliance. In order for the Department of Defense to recognize a contractor as CMMC compliant, that contractor must pass a review administered by an authorized Certified Third-Party Assessor Organization (C3PAO). That third-party firm cannot be the same firm that is managing a defense […]
This week’s major IT security news has been the exploitation of four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016 and 2019. The vulnerability allows attackers to have HTTP requests fraudulently authenticated as Exchange server. Estimates by end of week were that around 20,000 organizations in the United States had been affected — enough […]
The good news for the vast majority of defense contractors and subcontractors is that they will not have to exceed Level 3 compliance for CMMC. Level 3 compliance is closely comparable to already-required NIST 800-171. For those that do need to meet Levels 4 or 5 (all levels of CMMC build upon one another), there […]
The short answer is yes — eventually. The interim rule for CMMC became effective on November 30, 2020. The interim rule will also require a Congressional Review. The DoD (Department of Defense) is rolling out CMMC (Cybersecurity Maturity Model Certification) compliance via contract requirements in a phased program. The DoD will specify the required CMMC […]
The advent of the Cybersecurity Maturity Model Certification (CMMC) requirement for defense contractors can look intimidating — and perhaps expensive– to many contractors. On the issue of cost though, there is good news on two fronts. The first is that achieving Level 3 CMMC compliance — the level that will be most commonly needed– will […]
CMMC compliance is not designed to be a one-size-fits-all system. CMMC offers five different levels of compliance and contract requirements will dictate what is required for a project. The levels rise in complexity and requirements from Level 1 through Level 5. Level 1 represents the same requirements as FAR 52.204-21, Basic Safeguarding of Covered Contractor […]