The CMMC programme is taking shape for US DoD procurement and its implementation across the Defence Industry Base (DIB). If and when CMMC gets embedded in to the release of DFARS (defence procurement regulation) it will formalise cyber security requirements on defence suppliers.  The MOU released by the US DoD clarifies the responsibilities of the CMMC AB. Amongst other things it states that the DoD will only accept cyber certification from an accreditation body or Certified Third Party Assessment Organisation (C3PAO). Which in effect means, along with other requirements, that companies will need to get accredited (through assessment) to CMMC levels 1 through 5, depending upon the contract. To provide products and services to the US DoD.

Whilst the roll out will be over the next 5 years.  In practical terms it places a formal cyber security requirement on companies. To put in place the necessary security practices, to secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  In my view it is a regulation with which has some similarities to GDPR and CCPA.  In the case of CMMC, formally underpinned by NIST 800 – 171.