In recent times the US DoD (Department of Defence) has undertaken a series of daring cybersecurity initiatives such as the ‘Hack the Pentagon’ initiative. Currently, the DoD is faced with a new threat; defense contractors hence why it has developed CMMC assessments.
According to one of the narrators in the video, every C3PAO team and provisional assessor must use this guide and follow it to the latter when assessing defense contractors.
After several months in development, CMMC assessments comprise some of the strictest cybersecurity standards ever developed. With over 170 controls, CMMC is undoubtedly more detailed than its predecessor, the NIST 800-171.
CMMC assessments are a must for DoD contractors and subcontractors. The previous self-assessment model benefited contractors because it wasn’t a requirement for all DoD contracts. However, the level of compliance depends on the nature of the contract.
Without CMMC assessments, contractors can’t bid for contracts. Each DoD RFP (request for proposals) will indicate the level of CMMC assessments required.
As per the guidelines of the NIST 800-171, DoD contractors and subcontractors were allowed to assess themselves. However, with CMMC assessments, that’s no longer the case. Why? Because a DoD audit concluded self-assessment is no longer sufficient.