Skip to main content

What Is Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is a security framework used by the US Department of Defense (DoD) to certify the security, capacity, and resilience of its contractors and subcontractors. The goal of this approach is to reduce supply chain vulnerabilities and enhance security standards.

As of Jan 31, 2021, The Department of Defense's new Cybersecurity Maturity Model Certification, called "Version 1.0" by the undersecretary of defense for acquisition and sustainment, was announced.

CMMC 2.0 is the Department's newest version of the CMMC cybersecurity concept. It simplifies cybersecurity requirements into three levels - Foundational, Advanced, and Expert - and matches the requirements at each level with well-known and widely acknowledged NIST cybersecurity standards.

Key changes in CMMC 2.0 is shared below.

Key Changes in CMMC 2.0

Figure 1. Key Changes in CMMC 2.0

The CMMC allows the department to certify the cyber preparedness of the main defense contractors -known as "primes" because they win contracts- as well as the smaller firms that subcontract with the primes.

In both cybersecurity practices and procedures, the new CMMC offers five levels of accreditation.

The CMMC framework also assesses the adoption of processes and best practices that are required to achieve a cybersecurity maturity level, ensuring that Defense Industrial Base (DIB) contractors are adequately protecting unclassified information types such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on their systems and networks.

To put it in other words, CMMC is a uniform standard for cybersecurity adoption across the DIB sector and the DoD supply chain.

Why is CMMC Important?

According to the most recent research completed in 2020, the worldwide cost of cybercrime is predicted to be over $945 billion, or more than 1% of global GDP. In light of this, the Department of Defense is actively working and taking appropriate measures to secure data and reduce the danger of data breaches. As a result, all DIB contractors will soon be required to get the Cybersecurity Maturity Model Certification.

The Cybersecurity Maturity Model Certification (CMMC) is the next phase of data protection for the Defense Industrial Base in the United States (DIB). While it won't be fully implemented until 2025, taking efforts now can offer your company a competitive advantage.

The new Cybersecurity Maturity Model Certification marks a significant shift in how defense contractors demonstrate their security compliance. It's a reform that many will consider long overdue, and while it will increase contractor fees and bureaucracy, it will provide a competitive edge for both government and private sector businesses.

How Does CMMC Work?

Accredited CMMC auditors will assess all DoD vendors and map these controls and processes across numerous maturity levels, combining various cybersecurity standards and best practices. When the corresponding controls and processes for a certain CMMC level are applied, they lower the risk against a specific set of cyber threats. Supplier certifications should range from 1 (lower: basic cyber hygiene) to 3 (for suppliers who access Controlled Unclassified Information (CUI)) or 5 (highest: most sophisticated compliance) based on the third-party cybersecurity assessments.

While the CMMC Interim Rule permits organizations to self-attest to NIST 800-171 compliance, this capability will ultimately be phased out. Starting in 2021, DoD contractors will be required to get certification from an impartial Certified Third-Party Assessor Organization under a phased-in approach (C3PAO). The Department of Defense (DoD) can rely on a contractor (prime or subcontractor) to hold Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) (FCI). The DoD designed and manages the CMMC model, which assigns a level of cybersecurity "maturity" -the efficacy of processes and automation of practices- from "basic" to "advanced".

CMMC compliance is not a one-and-done checkbox; it is a continuing process that must be re-evaluated every three years.

How to Use CMMC?

The primary purpose of CMMC is to strengthen and ensure the security of sensitive data linked with government contractors, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Any individual in the DOD supply chain, including contractors who only interface with the Department of Defense and any subcontractors, is required to have CMMC.

CMMC was created to assist to eliminate cyber risks in the supply chain by requiring DoD contractors to have proper cybersecurity measures in place and, protect CUI that may be present on DoD vendor networks.

Who Should Use CMMC?

Anyone in the defense contract supply chain is affected by CMMC. Contractors who work directly with the Department of Defense, as well as subcontractors that work with prime contractors to complete and/or execute contracts should use CMMC.

The CMMC requirements, according to the Department of Defense, will influence nearly 300,000 enterprises. To be eligible for government contracts, most businesses will need level 1 to level 3 certification. All DoD supply chain providers, commercial products contractors, small enterprises, and overseas suppliers are among those affected.

The DoD and the CMMC Accreditation Body (CMMC-AB) work together to create processes for certifying independent third-party assessment organizations (C3PAO) and assessors. The CMMC levels of corporations are assessed by these assessors. The RFP will specify the degree of certification required for a firm to be granted a government contract. Contractors conducting business with the Department of Defense, however, must at least achieve Level 1 CMMC criteria.

After meeting the security standards for a certain tier, organizations will receive appropriate certification. All CMMC assessors are certified by CMMC-AB, ensuring that the results of your cybersecurity audit remain private. Regardless, the Department of Defense will have access to your certification level via a database.

What are CMC Levels?

The CMMC model, unlike NIST 800-171, includes five levels. "The model is cumulative," according to the DOD, "with each level consisting of practices and procedures as well as those outlined in the lower levels."

Each level is made up of a set of processes and practices, varying from "basic cyber hygiene" at level 1 to "advanced or progressive cybersecurity" at level 5. From "performed" at level 1 to "optimizing" at level 5, the processes span from "performed" to "optimizing".

CMMC Model

Figure 2. CMMC Model


  1. Access Control (AC)
  2. Identification and Authentication (IA)
  3. Physical Protection (PE)
  4. Asset Management (AM)
  5. Incident Response (IR)
  6. Recovery (RE)
  7. Audit and Accountability (AU)
  8. Maintenance (MA)
  9. Risk Management (RM)
  10. Awareness and Training (AT)
  11. Media Protection (MP)
  12. Security Assessment (CA)
  13. Configuration Management (CM)
  14. Personnel Security (PS)
  15. Situational Awareness (SA)
  16. System and Communications Protection (SC)
  17. System and Information Integrity (SI)

In essence, each level signifies a better level of security for sensitive data. To attain a certain CMMC level, a company must demonstrate that it has met all of the previous lower levels. Additionally, companies must show assessors that both processes and practices have been institutionalized, and if an organization displays unequal degrees for one or the other, the company will be certified at the lesser of the two levels.

CMMC levels can be categorized this way:

  • CMMC level 1: Keep federal contract information safe.
  • CMMC level 2: Serve as a stage in the advancement of cybersecurity maturity to the protection of controlled unclassified information (CUI).
  • CMMC level 3: Protect CUI.
  • CMMC levels 4-5: Reduce the risk of advanced persistent attacks by protecting CUI.
Level 1PerformedBasic Cyber Hygiene
Level 2DocumentedIntermediate Cyber Hygiene
Level 3ManagedGood Cyber Hygiene
Level 4ReviewsProactive
Level 5OptimizingAdvanced / Progressive

Table 1. CMMC Levels Brief Table

1. Level 1

Simply said, defense contractors must show basic cyber hygiene, as described in 48 CFR 52.204-21, to get CMMC level 1 certification. All accredited businesses must complete the Level 1 procedures, which serve as a secure foundation for the model's subsequent levels.

CMMC Model Level 1

Figure 3. CMMC Model Level 1

Smaller businesses can achieve Level 1, which comprises a subset of broadly acknowledged standard security procedures. FCI is delivered to the government or created for the government as part of a contract to develop or deliver a product or service. FCI does not contain information made available to the public by the government. While procedures are required to be followed, CMMC Level 1 does not address security process maturity. As a result, a CMMC Level 1 organization's cybersecurity maturity procedures may be restricted or inconsistent. Level 1 provides very rudimentary security against data theft and harmful behavior.

Defense contractors must first achieve basic cyber hygiene, as defined in level 1, regardless of which CMMC level they wish to achieve. If achieving CMMC compliance were comparable to building a house, the concrete foundation, plumbing, and electrical wiring would be level 1. The remaining (higher) levels will be impossible to achieve unless these fundamentals are in place. The CMMC certification process is a step-by-step procedure, with each level building on the previous one.

To reach CMMC level 1, 17 controls must be satisfied, all of which are directly matched to the Federal Acquisition Regulation (FAR) 52.204.21.

2. Level 2

Level 2 is best defined as a transition to level 3. Most defense contracts will have either level 1 or level 3 criteria. However, more restrictions must be handled at level 2 before level 3 may be evaluated.

CMMC Model Level 2

Figure 4. CMMC Model Level 2

CMMC level 2 is a small but significant milestone for defense companies to achieve. Level 2 of the CMMC focuses on intermediate cyber hygiene, establishing a natural yet essential path for enterprises to move from level 1 to level 3. Level 2 begins to contain safeguards for Controlled Unclassified Information (CUI) in addition to Federal Contract Information (FCI) (CUI). Level 2 includes new sets of procedures that enable the firm to better guard against more hazardous cyber attacks than level 1.

CMMC level 2 also introduces the model's process maturity aspect. A company is expected to conduct and record important cybersecurity responsibilities at CMMC level 2.

Because it also incorporates level 1 requirements, CMMC level 2 introduces 55 additional practices for a total of 72 overall practices. These practices are classified into 15 distinct areas.

3. Level 3

Level 3 of the Cybersecurity Maturity Model Certification (CMMC) expands on Level 2 and covers Federal Acquisition Regulation (FAR) procedures as well as NIST SP 800-171 Rev 1 controls. It also offers 20 more critical cyber hygiene measures. This CMMC level stresses the significance of cybersecurity planning and maintenance.

CMMC Model Level 3

Figure 5. CMMC Model Level 3

CMMC Level 3 is the third of five certification levels available to defense contractors. These restrictions specifically apply to defense contractors that develop or access Controlled Unclassified Information (CUI). "Basic Cyber Hygiene" through "Advanced/Progressive" are the levels. Level 3 is referred to as "Good Cyber Hygiene." It contains all of the criteria found in Levels 1 and 2, as well as some extras focused on planning, sourcing, and assessing your security policies and processes.

While CMMC Level 3 implies generally acceptable cyber hygiene, it is still restricted in comparison to higher levels. Even if a company is CMMC Level 3 certified, it may struggle to adequately protect itself from advanced persistent threats (APTs).

Your company's security should be a primary priority. Making security a priority at all levels of the business aids an organization in achieving a strong security posture. Defense contractors will be better positioned in the continuing process of securing their networks and data if they adopt CMMC Level 3 criteria.

4. Level 4

CMMC Level 4 denotes a significant and proactive cybersecurity program. Level 4 certified organizations have demonstrated the capacity to adjust their protection measures and operations. enabling them to adapt to changing strategies, tactics, and strategies utilized by Advanced Persistent Threats (APTs).

Level 4 demands a review and measurement of practices for effectiveness. Furthermore, companies at this level must be able to take corrective action as necessary and regularly alert higher-level management of status or difficulties.

CMMC Model Level 4

Figure 6. CMMC Model Level 4

Level 4 focuses on defending Controlled Unclassified Information (CUI) against Advanced Persistent Threats (APTs) and includes a portion of the improved security standards from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices improve an organization's detection and response capabilities, allowing it to address and react to evolving APT tactics, methods, and procedures (TTPs).

Level 4 certification contains all 130 Level 3 controls, plus an extra 26 controls for a total of 156. These figures outnumber the 110 CUI controls listed in NIST 800-171. CMMC Level 4 expands on CMMC Level 3 by including controls from a variety of frameworks.

Level 4's major purpose is to defend CUI and limit the danger of advanced persistent attacks (APTs).

DoD contractors must adopt 157 controls to pass a Level 4 audit (including all controls in Level 3).

5. Level 5

CMMC level 5 demands defense contractors to standardize and optimize their process implementation on an enterprise-wide basis. Level 5 builds on the proactive strategy of level 4 by focusing on the protection of Controlled Unclassified Information (CUI) against Advanced Persistent Threats (APTs). The new controls, policies, and processes provide a more comprehensive and complex cybersecurity posture.

CMMC Model Level 5

Figure 7. CMMC Model Level 5

Level 5 cyber security posture is considered sophisticated or progressive, and it aims to limit the danger of Advanced Persistent Threats (APTs). APTs, which are frequently nation-states or state-sponsored groups, use advanced skills and enormous resources to continuously target security networks utilizing many and diverse attack vectors such as physical and cyber security, as well as deception methods.

While both level 4 and level 5 certifications need much greater security awareness on the part of the defense contractor than level 3, level 5 adopts a more sophisticated posture of proactive scanning and APT mitigation. Level 5 demands continuous monitoring and optimization of security controls and processes to guard against constantly developing threat actors, in addition to adopting and assessing increasingly complex security controls and procedures.

How to Get CMMC Certified?

Companies are not allowed to self-certify under the CMMC and must instead be audited by a certified third-party assessment organization (C3PAO) or a credited individual assessor to obtain compliance. C3PAOs are permitted to oversee the assessment process for firms pursuing CMMC compliance. C3PAOs provide consulting services, schedule assessments, employ and train individual assessors, and examine the findings with Quality Auditors from the CMMC-Accreditation Body (AB).

Companies seeking a CMMC Certificate must first determine the maturity level at which they wish to be audited for compliance. Companies must next locate a C3PAO who is available to schedule the assessment with the certified independent assessor. When doing the assessment, the independent assessor will look for security vulnerabilities and weaknesses, as well as if the company's environment fits the CMMC standards for that level. Companies will have up to 90 days to rectify any problems and fill any gaps.

A CMMC certification notification will be made public if a firm achieves compliance at any level. Specific results, however, will be kept confidential, and certification failures will not be made public.

The certification is believed to be admissible and reimbursable, and it will be valid for three years. The Department of Defense hopes to have 1,500 CMMC certified contractors by 2021 and 48,000 by 2025.

Where to Get CMMC Certificate?

The Department of Defense provides accredited assessors to assist firms with cybersecurity audits. The degree of certification required to be granted a contract is specified in the Request for Proposal (RFP).

Third-party assessors can certify businesses (C3PAO). The assessors do schedule evaluations, analyze security strengths and weaknesses, and decide whether the organization requires requirements for future cybersecurity maturity levels. Companies have up to 90 days to fix any concerns that arise.