This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Blog
What is Cybersecurity Maturity Model Certification (CMMC)?
We update this article when relevant news or changes happen to CMMC and its rules.
Cybersecurity isn’t just an option when seeking contract awards with the U.S. government – it’s a necessity. This reality holds especially true for companies competing for contracts with the Department of Defense (DoD). The Cybersecurity Maturity Model Certification (CMMC) program is designed to ensure the security of Controlled Unclassified Information (CUI) entrusted to contractors and their supply chains.
The Cybersecurity Maturity Model Certification (CMMC) represents a unified standard developed by the Department of Defense (DoD) to address the increasing frequency and complexity of cyberattacks targeting the defense industrial base (DIB). This certification framework verifies that defense contractors properly safeguard sensitive unclassified information and maintain cybersecurity practices appropriate to counter various threats, including advanced persistent threats.
The Purpose of CMMC
CMMC was designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout the defense supply chain. Unlike previous approaches that relied on self-attestation, CMMC introduces a verification component through assessments that ensures contractors actually implement required cybersecurity practices rather than simply claiming compliance.
The DoD developed this framework to accomplish three key objectives:
- Reduce costs associated with cybersecurity implementation, particularly for small businesses
- Build trust in the assessment ecosystem
- Align cybersecurity requirements with existing federal standards
CMMC Regulatory Framework
CMMC is established through two primary regulatory pathways:
- Title 32 CFR CMMC Program Rule: Formally establishes the DoD CMMC Program in regulation
- Title 48 CFR CMMC Acquisition Rule: Updates contractual requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the program
The program will be contractually required 60 days after the 48 CFR rule is published as final in the Federal Register. Importantly, the DoD has emphasized that earlier versions of CMMC (sometimes called “CMMC 1.0”) are no longer applicable, as the program has evolved to address industry and Congressional feedback.
Understanding CMMC Levels
CMMC employs a tiered approach with three distinct levels of cybersecurity maturity:
Level 1: Foundational
Level 1 protects Federal Contract Information (FCI) through 17 basic cybersecurity practices derived from Federal Acquisition Regulation (FAR) 52.204-21. This foundational level is designed for contractors that handle FCI but not CUI.
Key aspects of Level 1 include:
- Annual self-assessment requirements
- No need for third-party verification
- Focus on basic cyber hygiene practices
Level 2: Advanced
Level 2 builds upon Level 1 by adding protection requirements for Controlled Unclassified Information. It encompasses 110 security practices aligned with NIST Special Publication 800-171.
The assessment requirements for Level 2 vary depending on the sensitivity of information:
- Some contractors can utilize self-assessments
- Others require certification through third-party assessment organizations (C3PAOs)
- Assessments remain valid for three years, with annual affirmations of continued compliance
Level 3: Expert
Level 3 represents the highest tier of cybersecurity maturity, incorporating 24 additional requirements from NIST SP 800-172 that specifically address Advanced Persistent Threats (APTs).
At this level:
- Government assessors from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct all assessments
- This applies to contractors handling the most sensitive unclassified information
- Like Level 2, certifications remain valid for three years with annual affirmations
Assessment Process and Requirements
The CMMC assessment process varies by level:
- Level 1: Self-assessment by the contractor
- Level 2: Either self-assessment or third-party assessment by authorized C3PAOs
- Level 3: Government assessment by DIBCAC personnel
It’s important to understand that CMMC only applies to unclassified networks that process, store, or transmit FCI or CUI. Classified systems are governed by different security requirements and are outside the scope of CMMC.
Organizations seeking assessment must first determine their assessment scope, which identifies which systems and information are subject to CMMC requirements. This includes:
- CUI Assets: Systems that process, store, or transmit CUI
- Security Protection Assets Critical: Systems that provide security functions for CUI
- External Service Providers: Third-party services that handle CUI or security protection data
Assessment results are not made public but will be accessible to the DoD.
Critical Requirements and POA&Ms
The CMMC program distinguishes between “critical” and “non-critical” security requirements. Critical requirements must be fully implemented before certification; they cannot be addressed through Plans of Action and Milestones (POA&Ms).
These critical requirements are identified in the Title 32 CFR CMMC final rule section §170.21 and represent security controls that are deemed essential for baseline protection of sensitive information.
Managing External Services and Cloud Resources
The CMMC framework includes specific provisions for cloud services and managed service providers:
- Cloud Service Providers (CSPs): When used to store or process CUI, cloud services must meet FedRAMP Moderate or equivalent requirements.
- Managed Service Providers (MSPs): If an MSP handles CUI, their services fall within the scope of the contractor’s CMMC assessment. The MSP itself doesn’t need separate certification unless they store CUI on their own systems.
- Security Service Providers: Services that provide security functions (like Security Operations Centers) are considered External Service Providers and can fall within assessment scope, even if they’re part of the same corporate entity but operate under different organizational structures.
Implementation Timeline
The DoD plans to implement CMMC in four phases over a three-year period. This phased approach aims to:
- Address potential issues during ramp-up
- Allow time to train sufficient assessors
- Give companies adequate time to implement requirements
- Minimize financial impacts on contractors, especially small businesses
- Avoid disruption to the existing DoD supply chain
In addition to this implementation timeline, organizations seeking certification for CMMC should understand that the preparation and implementation of CMMC controls can take up to 18 months, depending on company size and scope. That would be in addition to scheduling your assessment for a C3PAO, who have only been able to start assessments at the beginning of 2025, who are taking those assessments in on a first-come, first-serve basis.
Preparing for CMMC Compliance
Organizations can prepare for CMMC by:
- Conducting Self-Assessments: Review your systems against applicable security requirements from FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI).
- Implementing Required Controls: Address any gaps identified during self-assessment.
- Documenting Policies and Procedures: Ensure all security practices are well-documented.
- Leveraging Available Resources: The DoD offers various no-cost Cybersecurity-as-a-Service resources through the DIB Cybersecurity Program, available at dibnet.dod.mil.
- Understanding Your Supply Chain: Prime contractors should work with subcontractors to ensure appropriate CMMC levels throughout the supply chain.
International Considerations
CMMC applies to all organizations performing under DoD contracts, including non-U.S. companies. Foreign contractors can utilize the existing CMMC ecosystem rather than developing country-specific programs. The Cyber AB (CMMC Accreditation Body) may accredit international organizations that meet program requirements, allowing non-U.S. companies to choose either U.S.-based or foreign-based C3PAOs for their assessments.
The CMMC program demonstrates the Department of Defense’s commitment to enhancing cybersecurity across the defense industrial base. By establishing clear requirements and verification procedures, CMMC helps ensure that sensitive information remains protected throughout the DIB supply chain.
For defense contractors, achieving CMMC compliance is becoming an essential business requirement. Companies that proactively prepare for certification will be better positioned to maintain eligibility for DoD contracts while strengthening their overall security posture against evolving cyber threats.