The Cybersecurity Maturity Model Certification regime from the Department of Defense is now a required threshold for defense contractors and contains five distinct levels of compliance. Compliance must be certified by a third party auditor — self-attestation isn’t enough — and there are five separate levels of compliance. Level III, the most common level that subcontractors will need to meet, contains 130 specific requirements.
This doesn’t sound like a system with a lot of flexibility.
But there is, in fact, flexibility in the protocols. And the flexibility arises in how you meet the technical requirements. This is where things like network design, the functional technology needs of your team and various hardware and software vendor options come into play.
So, the goal with CMMC is not a one-size-fits-all rush to compliance. The goal should be a thoughtful move to compliance that aligns with your business’ technology goals.