The Cybersecurity Maturity Model Certification (CMMC) is a mandatory initiative by the U.S. Department of Defense (DoD). The CMMC is a framework and standard for cybersecurity that, over the next several years, will apply to all businesses in the Defense Industrial Base (DIB). 

CMMC shores up a weakness in existing cybersecurity standards, guided by National Institute of Standards and Technology’s NIST 800-171 standard. That standard had allowed a business to self-assess and certify its cybersecurity posture. The DoD found when auditing defense contractors that too many were non-compliant with NIST SP 800-171, as the self-assessment left too much interpretation. 

CMMC resolves that by imposing an independent assessment of the contractor, performed by a third-party assessment organization (C3PAO) appointed by the CMMC Accreditation Body (CMMC-AB). 

The independent assessor must determine whether the contractor has implemented specific standards and controls to protect it properly from cyberattacks.

In this post, we’ll review the key measures of the CMMC framework, including its five certification levels; as well as who needs CMMC certification and how Reciprocity can help you ease the burden of achieving CMMC cybersecurity requirements. 

Key Measures of the CMMC Framework

The CMMC model is composed of the 17 CMMC domains, capabilities, practices, and processes. An organization’s level of preparedness is ranked on an ascending basis from 1 (the lowest) to 5 (the highest). 

Before we dive into the CMMC levels, it’s important to understand what they measure. 

CMMC certification seeks to assure that an organization has properly protected itself from cyber threats and unauthorized access to information systems and the sensitive data those systems hold. That sensitive data includes the following elements:

Controlled Unclassified Information (CUI)

CUI is data that must have safeguarding and disseminating security controls to prevent its unauthorized access or theft. This information is not considered classified; Executive Order 13526 denotes what information is classified and what is not. 

Examples of CUI include:

  • legal material
  • health documentation
  • technical drawings or blueprints
  • intellectual property

Federal Contract Information (FCI)

FCI is data that is not intended for public release. Instead, it is meant solely for use by government-contracted parties to develop or deliver a product or service to the government. The release of this information could indicate a threat to national security.

The measure of compliance depends upon the amount of CMMC requirements met by an organization, ranging from basic to more advanced. 

The cybersecurity maturity and level of program sophistication of a company have a great deal to do with how easy it will be to adopt the controls laid out by the CMMC. Let’s review those levels now.

The Five CMMC Certification Levels

CMMC Level 1 – Basic Cyber Hygiene (17 controls): Basic cybersecurity appropriate for small companies.

CMMC Level 2 – Intermediate Cyber Hygiene (72 Controls – contains level 1 controls): Contains universally accepted NIST SP and CSF cybersecurity best practices.

CMMC Level 3 – Good Cyber Hygiene (130 Controls – contains level 2 controls): Includes coverage of all NIST 800-171 controls and additional CMMC components.

CMMC Level 4 – Proactive (156 Controls – contains level 3 controls): Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.

CMMC Level 5 – Advanced/Progressive (171 Controls – contains level 4 controls): Includes highly advanced cybersecurity practices and cybersecurity standards.

Examples of controls may include access controls, asset management protocols, and a plan of action for incident response. 

The bottom line is if an organization wants to do business with the federal government and it handles CUI or FCI, that business must obtain the CMMC certificate to bid defense contracts.

Who Needs CMMC Certification?

CMMC certification is applicable to “prime” contractors engaging with the DoD. That said, CMMC also includes subcontractors that work with prime contractors to provide fulfillment or otherwise help the prime to execute its contracts. Whether the organization is a large enterprise or a small business is irrelevant.

Every defense contractor will need some level of CMMC certification by 2026, but the Defense Department has indicated that it plans to award contracts at all levels of the maturity model. That means that certain contracts will require minimal maturity levels, while others will require higher levels of certification. So not all defense contractors will need to achieve Level 5 CMMC certification.

ZenGRC Has a CMMC Compliance Solution for You 

Preparing for and implementing a CMMC compliance program can be challenging, particularly for organizations with strained or minimal resources. Still, the mandate is clear: without CMMC certification, sooner or later you’ll be barred from participating in DoD contracts.

Businesses will need to assure that they have done their due diligence to comply with all applicable NIST SP, DFARS, and CMMC compliance requirements. As your organization grows, this simply can’t be done with spreadsheets and other legacy tools.

ZenGRC can help assure that your organization meets all your CMMC requirements and has built the appropriate system security plan (SSP) to protect CUI. 

Our built-in framework templates make baseline self-assessments a breeze, while our easy-to-use, centralized dashboard provides an integrated view of your compliance stance, across all applicable frameworks.

This includes CMMC mapping to other relevant frameworks, so you can avoid duplicate work and understand where your gaps are and how to fill them. Then ZenGRC stores and organizes your compliance documentation, so it’s readily available when the time comes for an audit by an assessor.

Worry-free compliance and risk management are the Zen way! Schedule a demo today to learn how ZenGRC can help you achieve your CMMC security requirements.