To increase the cybersecurity posture of companies operating in government supply chains, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) in 2019, and a draft was made available.
On January 30, 2020, the DoD released Version 1.0 to the public. (Version 2.0 was announced on November 4, 2021.)
NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.
In CMMC 1.0, there was no longer an option for self-attestation. That has changed in CMMC 2.0.
from Acquisition & Sustainment, Office of the Under Secretary of Defense
Whether or not you can self-attest to CMMC depends on the level of CMMC you need to comply with and the type of information you are handling in fulfilling a DoD contract.
There are many similarities in CMMC compared to NIST 800-171, and the goal remains the same: to protect CUI within government supply chains.
Cybersecurity is not a shopping cart where a secure IT environment requires nothing more than a full checklist. Instead, it is a combination of both technology changes and business process changes. This has always been our focus at Corserva.
If you've been putting off dealing with NIST 800-171 compliance and how CMMC impacts you, contact Corserva, we can help. We provide assessments for NIST 800-171 and CMMC readiness services.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the Marketplace for the CMMC Accreditation Body (CMMC-AB).