The Schellman Blog

With the introduction of the Cybersecurity Maturity Model Certification (CMMC) program, contractors working with the U.S. Department of Defense (DoD) will be required to meet a certain level of cybersecurity maturity ensuring the protection of the involved sensitive information and data, specifically controlled unclassified information (CUI) and federal contract information (FCI).

Back in August 2022—while rulemaking for the Cybersecurity Maturity Model Certification (CMMC) was ongoing (as it still is)—the Joint Surveillance Program (JSP) was sanctioned by the DoD and CyberAB as an interim step in the CMMC program that allowed organizations to pursue a formal DIBCAC High (NIST 800-171) assessment.

The Cybersecurity Maturity Model Certification (CMMC) is a new framework that aims to better secure federal contract information (FCI) and controlled unclassified information (CUI) that is stored, processed, or transmitted by defense contractors and the entire defense industrial base (DIB).

Published by the National Institute of Standards and Technology (NIST), NIST SP 800-171 is a standard created to help organizations protect Controlled Unclassified Information (CUI) from unauthorized access or disclosure.

Cyber threats continue to escalate in both frequency and economic impact. Where earlier estimates from the U.S. Council of Economic Advisors placed the cost of malicious cyber activity to the U.S. economy between $57 billion and $109 billion in 2016, more recent data shows this threat has grown exponentially. In the U.S., these cyber threats are not a problem our government, and more specifically our military, can leave unchecked, particularly when it comes to the theft of valuable intellectual property and sensitive information from all industrial sectors. The potential backlash on our economic security and national security is too great, so action had to be taken. If you’re doing business in the Defense Industrial Base (DIB) sector, you will soon need to become CMMC certified. Within this newer program meant to protect information within the supply chain of the Department of Defense (DoD), there are three levels and their related assessments. If you’re wondering which level is right for you, don’t worry—in this article, we’ll explore the different levels of CMMC compliance you can achieve, but we won’t be able to do that without first addressing the critical importance of CUI. Then, you’ll understand how all these pieces fit together and have a better idea of which level is right for your organization and what to expect in the process.

If you’ve never seen Man vs. Wild, it’s a television show featuring famed adventurer Bear Grylls who, in every episode, is stranded in mostly wild terrains with his film crew. His task is to get back to civilization successfully, and he showcases different survival skills during those journeys.

The Belgian writer and painter Erik Pevernagie once said that “without a clear-cut vision and a proper reading of the roadmap we may not reach the buoyant shores of the horizon.”

What is CMMC? As a result of the new digital age, a rise in cybercrime has paralleled technological advances we are seeing evolve every day.