CMMC is an initiative designed to help protect the data shared within the USA’s Defense Industrial Base (DIB) and the contract information essential for National Defense. It is a certification program created by the Department of Defense (DoD) that assesses an organisation’s cybersecurity posture.

NIST is a quality standard that can improve an organisation’s processes and products focused primarily on security maturity. CMMC is a certification program that verifies an organisation’s compliance with specific security practices. It combines the controls from NIST SP 800-171 and other sources, depending on the level of certification. CMMC is a new model that will complement NIST 800-171 and will be enforced by the DoD.

Three main objectives define CMMC Compliance:

• Protect sensitive Defense information from cyber-attacks and nation-state actors.
• Create a unifying cybersecurity standard for Defense contractors.
• Ensure accountability for Defence companies that are responsible for protecting the government.

CMMC is required for any USA DoD supply chain business, including contractors interacting exclusively with the DoD and all subcontractors. According to the DoD, the CMMC requirements will affect over 300,000 organisations. Australian companies that desire to do business with the USA DoD will be required to comply. 

CMMC applies to anyone in the USA’s Defense contract supply chain that is required to hold Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

The DoD intends to only approve the inclusion of CMMC requirements in any contract after completing the CMMC 2.0 rulemaking process. The DoD intends to only approve the inclusion of CMMC requirements in any contract after completing the CMMC 2.0 rulemaking process. The DoD intends to have all the DIB certified by 2025.

CMMC contains three security levels:

• Level 1 – Foundational: For organisations holding Federal Contract Information (FCI).
• Level 2 – Advanced: For organisations holding Controlled Unclassified Information (CUI).
• Level 3 – Expert: Designed to reduce Advanced Persistent Threats (APTs) applicable to large Defence contractors.

Your organisation’s CMMC maturity level and compliance and assessment requirements will depend on the sensitivity of the data you’ll be working with.

The interim Defense Federal Acquisition Regulation Supplement (DFARS) rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

Once the assessment meets the criteria for the chosen CMMC level, the CMMC-AB will issue your organisation a CMMC certificate of compliance. This certification lasts for three years.

The CMMC program is aligned with DoD’s information security requirements for DIB partners. It is designed to enforce the protection of sensitive unclassified information that the Department shares with its contractors and subcontractors.

As the only Australia-based sovereign company with Cybersecurity Maturity Model Certification (CMMC) accreditation body – Cyber-AB – endorsed RPA personnel, PAC is uniquely positioned to provide consulting and implementation services for CMMC Level 1 and Level 2.

As a Registered Practitioner Organisation (RPO), our Information Security team can provide advice, consulting, and recommendations to other businesses to help them meet CMMC requirements. To achieve this, we will determine the appropriate certification level to target, conduct an audit-readiness assessment, address any gaps, document new processes and practices, test, validate, and document the results, resolve any remaining gaps after an audit, and remain engaged to ensure clients’ progress undergoes periodic validation.