The Cybersecurity Maturity Model Certification (CMMC), created by the Department of Defense (DoD), is a new standard that leverages the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) – Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. The CMMC is a vehicle the U.S. Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations.  

A CMMC assessment is a mandatory component for organizations bidding on a contract or subcontract to do business with the Department of Defense, which includes RFPs and RFIs. DoD contractors have been required to comply with NIST 800-171 since January 2018.  Previous iterations of controls from DoD known as Defense Federal Acquisition Regulation Supplement (DFARS) were put in place to aid DoD contractors in conducting self-assessments in order to qualify for federal contracts but were found difficult to enforce. 

Defense contractors must coordinate with accredited independent third party organizations (3PAOs) to request a CMMC assessment and shall obtain the maturity level based on the ability to demonstrate the appropriate capabilities. 

There are five CMMC maturity levels that assessors will leverage.  There are also five processes across the five levels to measure process maturity.  

CMMC with Five Levels Measuring Cybersecurity Maturity

Level 1 – Basic Cyber Hygiene: Basic cybersecurity appropriate for small companies.  Processes are performed for basic safeguarding of Federal Contract Information (FCI).   

Level 2 – Intermediate Cyber Hygiene: Contains universally accepted cybersecurity best practices.  Processes are documented.  This level is considered a transition step to protect CUI.  

Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 controls and additional CMMC components.  Processes are managed to protect CUI.  

Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.  Processes are reviewed.  

Level 5 – Advanced/Progressive: Includes highly advanced cybersecurity practices and cybersecurity standards.  Processes are optimizing.  

The CMMC framework also contains similar domains to the NIST 800-171 with a few additions:

  1. Asset Management
  2. Recovery
  3. Situational Awareness.  

The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) began forming the CMMC in March 2019. CMMC v1.0 was released on January 31, 2020 with v.1.02 released on March 18, 2020 by the DoD.  According to OUSD A&S, there were no substantive nor critical changes to the model relative to v1.0, but rather corrections to administrative errors.  v1.02 of the CMMC Model has a more accessible version within a tabular format in MS Excel.  Ultimately, the CMMC establishes cybersecurity as a foundation for future DoD acquisitions.  Cost, schedule, and performance are only effective in a secure environment. For additional information, visit (OUSD (A&S)).