The Cybersecurity Maturity Model Certification is a law passed by Congress to put controls and restrictions on how companies are allowed to share information identified as ITAR controlled documents. It requires companies to establish “practices” for the control between companies as well as how those documents are controlled within one’s own business. Ultimately in order to perform work directly or indirectly for the DoD a business will have to be third partied certified, similar to Nadcap or ISO requirements.