Cybersecurity Maturity Model Certification (CMMC) is a program that the Department of Defense (DoD) uses to certify the cybersecurity status of businesses operating as suppliers and contractors within the Defense Industrial Base (DIB). CMMC has three levels and provides certification via self-assessment at the lowest level or via external inspection and audit at two higher levels.
CMMC compliance aims to secure the DIB from cyberattacks by adversaries of the USA who are looking to access confidential defense project information to advance their own defense projects. Or to get access to personal information about contractor organization staff for further cyberattack planning or other nefarious purposes.
CMMC 2.0 requires the 110 controls outlined in NIST SP 800-171 to achieve CMMC Level 2 certification. For DoD contracts that need CMMC 2.0 Level 3 certification, the additional 35 enhanced security controls outlined in NIST SP 800-172 also need to be in place.