The Motivation Behind CMMC

CMMC (Cybersecurity Maturity Model Certification) is the new standard for cybersecurity compliance for DOD contractors.

The launch of CMMC has caused many conscientious contractors to ask a simple question: What about DFARS?  

Defense Federal Acquisition Regulation Supplement 252.204-7012 was initiated in 2016 to make sure defense contractors had sufficient cybersecurity protections in place. Contractors who met DFARS compliance naturally wonder if they need to also meet CMMC standards and why they’re being asked to comply with a new protocol.

The short answer is that DOD was concerned because DFARS only required self-attestation and DOD was suspected many contractors weren’t actually in compliance. Meeting CMMC will require independent certification.

The good news is that for the majority of contractors, being compliant with DFARS already means you’re very close to meeting your CMMC compliance requirements.