Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

We’ve known it’s been coming, but it’s finally here: CMMC is no longer optional. Approval to issue the new Final Rule was fast-tracked, and the deadline is looming.

CMMC is a strict and difficult standard to meet, which leads a lot of companies to wonder: how necessary is it, really? After all, CMMC is not alone in the world of security and compliance. There are a lot of other frameworks, both within the United States (like FedRAMP) or internationally (like ISO 27001). Companies that meet other compliance standards and have systems in place, like an ISMS or a QMS, might wonder: Is CMMC still required?

CMMC is a strict certification, but there’s also a lot of variation within its security controls and the demands it makes of agencies looking to achieve that certification. The standards are high, especially at the higher levels of CMMC, but there are also many tools and platforms available to meet those needs appropriately, without reinventing the wheel from base principles. Businesses need the tools necessary to function in a modern digital world.

The first C in CMMC stands for cybersecurity, so it makes sense that the vast majority of content and information about it (both here and elsewhere online) is focused on the cyber aspect. Digital security makes up the bulk of the certification, and it’s by far the biggest threat vector in a modern business space. There is, however, still that detail that has to matter sooner or later: the fact that everything digital has to have somewhere it lives in physical space.