CMMC Version 1.0 is Released

Corserva blog

To increase the cybersecurity posture of companies operating in government supply chains, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) in 2019, and a draft was made available.

On January 30, 2020, the DoD released Version 1.0 to the public.

NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.


The Cybersecurity Maturity Model Certification (CMMC) framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment. The CMMC is intended to verify compliance in order to protect CUI.


How to Prepare for CMMC

The biggest impact to companies that must comply with NIST 800-171 is that there is no longer an option for self-attestation.

The DoD is planning to migrate to the new CMMC framework and this framework will require all companies seeking NIST 800-171 compliance to work with an accredited and independent third-party organization.


How to Prepare for a CMMC Audit


Can We Do It Ourselves?

No. With CMMC, there is no longer an option for self-attestation. 

It's important to note that although the method for providing evidence of compliance has changed, any documents you may have created will still be helpful, such as a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

So, if you have already put resources into the creation of these types of documents, that effort is still valuable.


What is CMMC compliance?


What's New in CMMC Version 1.0

There are many similarities in CMMC compared to NIST 800-171, and the goal remains the same: to protect CUI within government supply chains.

The original NIST Special Publication 800-171 was broken out into 14 different families of IT security requirements. In Version 1.0 of CMMC, the categories are slightly modified and now include 17.

One aspect that is unique to CMMC is that CMMC will implement multiple maturity levels that range from 1 to 5.

  • Levels 1 and 2 will only cover parts of NIST 800-171.
  • Level 3 will cover NIST 800-171 plus a few other security controls.
  • Levels 4 and 5 will expand even further to include additional security controls.


Technology Changes AND Process Changes

Cybersecurity is not a shopping cart where a secure IT environment requires nothing more than a full checklist. Instead, it is a combination of both technology changes and business process changes. This has always been our focus at Corserva.


Becoming CompliantRPO

If you've been putting off dealing with NIST 800-171 compliance and how CMMC impacts you, contact Corserva, we can help. We provide assessments for NIST 800-171 and CMMC readiness services.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the Marketplace for the CMMC Accreditation Body (CMMC-AB).


Post Date: February 21, 2020 // 10:45 AM

Topic category:

NIST & CMMC, Cybersecurity


Len Tudisco

Len has extensive experience helping SMB to enterprise companies leverage technology to drive innovation and business performance. He has over 30 years of IT experience across a wide range of industries and business disciplines, with roles in software engineering, IT management, outsourcing, consulting, project management, and business development.