CMMC
Also known as: Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense's framework for verifying that contractors implement the security controls required to protect sensitive information, building on NIST SP 800-171. It packages requirements into levels and adds a verification step.
Lower levels generally permit self-assessment, while higher levels require assessment by an accredited third-party organization (a C3PAO). The aim is assurance: rather than assuming controls are in place, CMMC requires evidence that they are. Software can help an organization prepare and self-assess, but it cannot substitute for a required third-party assessment.
Related terms
Go deeper
