April 13, 2021

Last Updated on January 15, 2024

The new Cybersecurity Maturity Model Certification (CMMC) framework from the US Department of Defense (DoD) is on the fast track to becoming the most widely adopted information security standard ever developed. It will soon be omnipresent in many business landscapes, especially the global Aerospace & Defense industry.

If you haven’t heard about CMMC yet, read on—and then tune into our special edition of The Virtual CISO Podcast on CMMC Level 1 featuring John Verry, Pivot Point Security’s CISO and Managing Partner.

“CMMC is a mechanism by which the DoD is going to enforce security across the Defense Industrial Base (DIB) or defense supply chain,” says John. “The reason for this is that we had a framework since 2015 called NIST SP 800-171, which defined 110 controls or good information security practices, which you had to self-attest to actually performing.”

“Unfortunately, many entities out of the 350,000 odd organizations in the DIB didn’t take NIST 800-171 all that seriously,” continues John. “They didn’t do a good job in actually conforming. We’ve continued to have breaches that cost the US economy something like $600 billion per year.”

As US senator Everett Dirksen supposedly said, “A billion here, a billion there… Pretty soon you’re talking real money.” Even worse, these breaches put our national defense at risk.

“They came up with the CMMC program to correct that,” John explains. “So now you’re going to be audited to confirm that you’re actually conforming with these requirements.”

CMMC is called a “maturity model” because it defines how you can implement different controls at different maturity levels (1 through 5). CMMC Level 3 corresponds pretty closely with NIST 800-171. It includes the 110 NIST controls plus an additional 20 controls. The purpose of CMMC Level 3 is to safeguard Controlled Unclassified Information (CUI).

Similarly, CMMC Level 1 directly corresponds with Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. CMMC Level 1 includes just 17 controls. It is designed to protect Federal Contract Information (FCI), which is less sensitive than CUI.

What’s Next?

If you have a security/compliance related role within the Aerospace & Defense industry, don’t miss this special podcast show with John Verry.

To hear the complete episode, click here. If you don’t use Apple Podcasts, you’ll find our large and growing selection of information security podcasts here.

For more information:


New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.