For those that do business with the US government … even if you sell to somebody that sells to the government, you should start paying attention to CMMC requirements if you haven’t already done so. In short, the US government is going to slowly require certification in one of three levels of CMMC in order to win contracts. If you are not certified at the appropriate level, you won’t have access to the business. This is not a fine. This means you can’t access the business.
Why is the US government doing this? The US wants to address the concern of abusing unclassified sensitive data. For example, a bid for a tank goes out to bid and a foreign contractor buys the parts, builds it and now another country has our technology. The impact is hitting Universities, manufacturing, etc. etc.
CMMC version 2 details can be found HERE and based on NIST SP 800-171 domains. In short, it’s things organizations should already be doing but now CMMC is forcing the matter. I posted thoughts on CMMC version 2 HERE.
One question I’ve been asked is how will CMMC related data be identified within contracts and post contact work? Will it be like classified data such as secret and top secret? How can it be tracks for data created in the cloud? Archtis just announced a labeling technology that will help with labeling CMMC data. This post on this can be found HERE . In short, the US department of defense will be using this watermark technology to push CMMC enforcement. Organizations are going to start seeing data they work with have this watermark pushed preventing them to continue business until CMMC certification is complete. Check out the announcement to learn more and start thinking about CMMC now rather than being forced into dealing with being blocked from business.