Cybersecurity Maturity Model Certification ("CMMC") (Glossary)

A framework developed by the Office of the Undersecretary of Defense for Acquisition and Sustainment ("OUSD(A&S)") in concert with DoD stakeholders, University Affiliated Research Centers ("UARCs"), Federally Funded Research and Development Centers ("FFRDCs"), and the DIB sector.  It encompasses the basic safeguarding requirements specified for FCI specified in Federal Acquisition Regulation ("FAR") 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171 Revision ("Rev") 2 per Defense Federal Acquisition Regulation Supplement ("DFARS") Claus 252.204-7012.  DFARS Clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting.  CMMC is designed to provide assurance to DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, account for information flow down to its subcontractors in a multi-tier supply chain.  CMMC is implemented through DFARS Clause 252.204-7021.