The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

• The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
• The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
• The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
• The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

The CMMC effort builds upon existing regulation, specifically,

• 48 Code of Federal Regulations (CFR) 52.204-21 and
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and
• incorporates practices from multiple sources such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev 1 & Draft NIST SP 800-171B,
• the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [11,12,47,4].

ABCI Consultants provide cyber security guidance, implementation and personnel training services, which focus on Information Security Management Systems (ISO 27001) and regulatory compliance (NIST 800-171).