the DoD's Cybersecurity Maturity Model (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a new standard being implemented across the Defense Industrial Base (DIB) as a response from the Department of Defense (DoD) due to a significant amount of sensitive data compromises. CMMC will provide guidance and protection of sensitive data, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) through 17 domains.  Each domain is composed of processes that range from ‘Performed’ at Level 1 to ‘Optimizing’ at Level 5 and the practices range from ‘Basic Cyber Hygiene’ at Level 1 to ‘Advanced/Progressive’ at Level 5. The CMMC framework includes 5 certification levels based on the maturity and stability of the infrastructure to support DoD sensitive information.  Each level includes additional practices and processes with each level being inclusive of lower-level practices. 

What CMMC will require

While DFARS is the current standard, CMMC will require DoD contractors to become CMMC certified. This will include all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers. For contracts that require CMMC, certification will we required for consideration.

CUI Data Protection

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Through the CMMC maturity levels, one of the main goals of the CMMC is to safeguard CUI for DoD contractors and organizations. 

Development of System Security Plan Documentation

Developing and implementing a System Security Plan (SSP) is crucial for DFARS and future CMMC compliance. It documents the people, technology, and processes related to the CUI environment.  This document is a "living" document and will continually be updated as the CUI environment changes.  The SSP is also a central document for the NIST 800-171 controls and acts as a "repository" for the CUI environment. The SSP will be required and will be asked for by a CMMC Auditor.

Internal Cybersecurity Program

The CMMC Accreditation Board (AB) establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC Program.

External Audit & Certification

The CMMC AB, a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. Only C3PAOs and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

Need Help Preparing for CMMC? 

DFARS and Understanding the DoD's Cybersecurity Maturity Model (CMMC) Training Grant

The grant is from the U.S. Department of Defense Office of Economic Adjustment (DoD - OEA), supported by the Washington State Department of Commerce. This partnership between The Office of Economic Development and Competitiveness and Impact Washington proposes a unique collaboration to provide awareness and training to companies throughout the state. Impact Washington has teamed up with Ignyte Institute to provide CMMC Readiness Training Modules.

Training provides participants with the tools and resources needed to self-manage and prepare for their organizations’ compliance. Participants will learn the material through interactive sessions while having the ability to join into a larger pool of candidates looking to create roadmaps, track milestones and control the entire process for managing compliance and cybersecurity for their organization.


One-On-One Industry Cybersecurity Support For Washington State Businesses that are in the Department of Defense (DoD) Supply

Participation in Impact Washington's Pilot Program to assist Washington State based businesses, who are in the Department of Defense (DoD) supply chain, to comply with cybersecurity requirements closed on November 30th. This program offered a grant covering up to 80% of the costs for Security Gap Analysis, creating a Plan of Action and Milestones (POA&M), developing a draft System Security Plan (SSP), and other assistance to help companies prepare for emerging Department of Defense (DoD) Cybersecurity supplier requirements, including Cybersecurity Maturity Model Certification (CMMC) assessment.  Contact us below to be part of future programs

Register For Future One-On-One Programs

Don’t miss your opportunity to participate.

Please take a moment to listen and learn how the assistance grant can support your business as Kate Kanapeaux from PNDC interviews Geoff Lawrence from Impact Washington and Max Aulakh of the Ignyte Institute about the two programs.