Cybersecurity Maturity Model Certification (CMMC)

The CMMC Knowledge You Need to Succeed

What is the Cybersecurity Maturity Model Certification 2.0 (CMMC)?

In November 2021, the US Department of Defense (DoD) announced Version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) information security framework and audit program. Driven by internal review and public comment, CMMC 2.0 updates the requirements for CMMC Version 1.02, released in January 2020 and now suspended. CMMC 2.0 is designed to improve cybersecurity within the Defense Industrial Base (DIB) by ensuring contractors and subcontractors can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Back in October 2016, the DoD specified requirements for protecting Covered Defense Information (CDI) and reporting cyber incidents in its Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In addition, DFARS 252.204.7019 mandates DoD suppliers implement security controls consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This regulation—which has been in effect all along—relies on suppliers to self-attest to the status of their security controls and to compliance with NIST SP 800-171.

In contrast to CMMC 1.0, CMMC 2.0 requires organizations whose contracts mandate compliance with CMMC 2.0 Level 2 (Advanced) and which are participating in “prioritized acquisitions” to undergo third-party assessments to achieve CMMC 2.0 certification, and to be reassessed on a triannual basis. Firms participating in “non-prioritized acquisitions” at CMMC 2.0 Level 2 (Advanced) plus all organizations at CMMC Level 1 (Foundational) can demonstrate compliance through an annual self-assessment with an affirmation by company leadership.

The changes from CMMC 1.0 to CMMC 2.0 will be implemented through the US federal government’s rulemaking process to Code of Federal Regulations (CFR) Parts 32 and 48. DIB businesses will be required to comply with the new rules as soon as they go into effect; an estimated timetable is “9 to 24 months.”

Struggling with all the new terminology in the CMMC? Learn all the Key CMMC Terms & Acronyms here.

CMMC Compliance Services

​Safeguarding controlled government/military data from unauthorized disclosure/release is critical to our national security and economic freedom. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 regulatory requirements… until now.

Cloud Controls Matrix

The CSA Cloud Controls Matrix is a cybersecurity control framework for cloud computing. Aligned with CSA’s Cloud Security Guidance 4.0 and mapped to industry-accepted security standards like ISO 27001, ISO 27017, the CIS Critical Security Controls V8 and more, the CSA Cloud Controls Matrix is a de facto standard for cloud security assurance and compliance.

DFARS Compliance

DFARS is a defense industry specific supplement to the original FAR clause. DFARS explicitly addresses national defense concerns around DoD acquisitions. Consisting of numerous parts and subparts, DFARS compliance has a broad focus that includes materials sourcing, workplace/employee safety and other areas, as well as cybersecurity.

Why is the CMMC Important?

The CMMC is critically important because keeping CUI, CDI and FCI (Federal Contract Information) secure is vital to US national security and to the US economy. The current self-attestation approach has proven ineffective, as shown by multiple high-profile breaches of critical DoD data.

Exfiltration of sensitive defense-related data is estimated to cost the US economy $600 billion per year, and has verifiably narrowed US armed forces technological advantage over its adversaries. The DoD is determined to eliminate this data leakage.

CMMC represents a higher, more exacting level of assurance that emphasizes not only compliance but also data security, and which ensures more consistent implementation and execution of controls. CMMC will make it significantly more difficult for adversaries to breach DIB contractors, including sub-tier suppliers. This also includes assurance the government and your investors your organization is equipped to identify and triage cyber incidents.

How is the CMMC Different from Today’s Requirements?

CMMC will significantly impact both the DoD’s acquisition process and suppliers’ cybersecurity postures. Most importantly:

  • To achieve certification at any of the five CMMC levels, organizations must pass a third-party assessment conducted by an accredited C3PAO (Certified 3rd Party Assessor Organization).
  • CMMC certification to at least Level 1 will be mandatory for DoD contract award/participation. If you have Federal Contract Information (FCI), you must achieve level 1.
  • The CMMC certification level required for prime contractors and their subcontractors will be specified in DoD RFIs and RFPs.
  • Suppliers will need to be recertified every three years. Further, the CMMC will continue to evolve in response to the threat landscape.

For the most up to date and complete information, listen to our podcast episodes on CMMC from The Virtual CISO Podcast

Summary of the Cybersecurity Maturity Model Certification (CMMC) Levels, Domains, Practices & Processes (Maturity Levels)

CMMC Levels:

Level 1 “Foundational”: Meant to ensure a company can safeguard Federal Contract Information (FCI). CMMC Level 1 encompasses the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. CMMC L1 has 17 requirements and requires an annual self-assessment.

Level 2 “Advanced”: CMMC Level 2 addresses the protection of Controlled Unclassified Information (CUI). CMMC Level 2 provides increased assurance to the DoD that a contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow with its subcontractors in a multi-tier supply chain. CMMC L2 has 110 requirements aligned with NIST SP 800-171 and requires a triennial third party assessment and annual assessment.

Level 3 “Expert”: CMMC L3 has 134 requirements based on NIST SP 800-171 and 800-172 and requires a triennial government-led assessment and annual affirmation.

CMMC Domains

The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171.

Access Control (AC)       

  • Establish system access requirements
  • Control internal system access
  • Control Remote system access
  • Limit data access to authorized users and processes

Awareness and Training (AT)

  • Conduct security awareness activities

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Configuration Management (CM)

  • Establish configuration baselines

Identification and Authentication (IA)

  • Grant access to authenticated entities

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response

Maintenance (MA)

  • Manage maintenance

Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Personnel Security

  • Individuals are screened prior to accessing CUI

Physical Protection (PE)

  • Limit physical access

Risk Assessment (RA)   

  • Manage back-ups

Security Assessment (CA)           

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

Systems and Communications Protection (SC)  

  • Define security requirements for systems and communications
  • Control communications at system boundaries

System and Information Integrity (SI)   

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

How Do You Get CMMC Certified?

The DoD in cooperation with the defense industry has “self-formed” a nonprofit accreditation body, called the Cyber Accreditation Body (Cyber-AB). This entity will onboard the Certified 3rd-Party Assessment Organizations (C3PAOs) needed to certify suppliers across the DIB. The C3PAOs, in turn, will train and certify the many auditors who will conduct CMMC audits.

Anyone in the DIB seeking a CMMC assessment should connect with a C3PAO to schedule an audit.

How Does CMMC Compare to NIST 800-171?

Because it defines three compliance levels, CMMC is more flexible than NIST 800-171, and “right-sizes” a supplier’s compliance footprint based on the data it is handling.

Here is a simple way to describe the three CMMC “cyber hygiene” certification levels:

For suppliers that won’t be handling sensitive data, certification to CMMC Level 1 specifies only 17 controls, while Level 2 specifies 63 controls.

Suppliers that will handle CUI will need to be certified to CMMC Level 2 or higher. Level 3 includes 134 requirements based on NIST SP 800-171 and NIST SP 800-172 and requires a triennial government-led assessment and annual affirmation.

What certification level should your organization pursue?

That depends on your company’s role in the DIB, as well as your current cybersecurity maturity level. CMMC Level 2 is equivalent to the current regulations and will be required to handle CUI. For example, suppliers that have a Section 7012 clause in their current contract will need to be CMMC Level 2 certified when those contracts are renewed.

What Should You Do Next?

Download our CMMC Certification Guide!

A Simple Guide to Comply with the DoD’s Cybersecurity Maturity Model Certification (CMMC)

This eBrief will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.