What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) was created by the United States Department of Defense (DoD) in an effort to standardize and encourage cybersecurity preparedness within the federal Defense Industrial Base (DIB). 

Overview of CMMC

The Cybersecurity Maturity Model contains a variety of best practices intended to help evaluate and measure a defense contractors’ capabilities and level of sophistication at implementing a cybersecurity program. 

The best practices set forth in CMMC are based upon related frameworks, namely DFARS and NIST 800-171. The level of maturity an organization obtains certification for depends on how well it can display their adoption of CMMC guidelines.

A CMM certification validates that the contractor or sub-contractor has committed to prioritizing and improving its cybersecurity program to a high level of performance. A third-party assessment organization (C3PAO) will conduct your CMMC certification audit.

What are the requirements of CMMC?

CMMC is based on an ascending level of maturity (i.e. preparedness). Starting at level 1 (lowest) and going all the way up to level 5 (advanced). It’s goal ultimately is to protect two types of data from exposure, theft, or unauthorized access: Controlled Unclassified Information and Federal Contract Information.

  • Controlled Unclassified Information (CUI): This is information that requires protection and dissemination controls aligned with any relevant regulations but is not considered classified under the Atomic Energy Act or Executive Order 13526.
  • Federal Contract Information (FCI): This is information provided or created by the government that is not intended for public release. 

The 5 levels of CMMC compliance, and the corresponding number of controls required for each level are explained below:

  • Level 1 – Basic: At this level, organizations are expected to have a minimum level of cybersecurity controls. This might be a newer, or smaller organization that is performing security processes but not have documented them yet. There are no maturity processes to assess for certification.
  • Level 2 – Intermediate: At this level organizations should have standard operating procedures and policies for all operational practices.
  • Level 3 – Good: At this level organizations should have met NIST SP 800-171 requirements and have activities in place that have been reviewed for adherence to their standard operating procedures and policies.  
  • Level 4 – Proactive: At this level organizations should be able to demonstrate a robust, proactive cybersecurity program and have methods for reviewing the effectiveness of controls and a way to inform management of any issues.
  • Level 5 – Advanced/Progressive: At this level, organizations have optimized their cybersecurity controls related to CUI and FCI. Advanced security processes are documented, managed, and reviewed on a routine basis. 

Who does CMMC apply to?

CMMC applies to any company with a DoD contract. This means all DoD contractors and suppliers must meet the cybersecurity standards specified in the NIST SP 800-171 framework, designed to protect controlled unclassified information from threat actors and foreign agents.

While CMMC is a newer framework and has only been applied to certain new contracts as of 2020, beginning in 2026, it will be applied to all government contracts. 

Thus, any contractor or subcontractor that wishes to secure a government contract must prioritize CMMC sooner rather than later.

How to be CMMC Compliant?

To help prepare for CMMC compliance, there are a few best practices to consider.

  • Start preparing today. The CMMC process can take several months and if you fail an audit, you will need additional time to mitigate the issues in order to be prepared for a re-audit.
  • Perform an internal audit before your official CMMC assessment. Conducting a self-assessment or self-audit prior to your official CMMC audit can help uncover previously unknown deficiencies that can be remedied before your official audit and help to reduce costs associated with re-certification or losing a DoD contract in the process.
  • Consult with a CMMC professional. A CMMC professional can walk through your operations and help you prepare for CMMC compliance.
  • Document your CMMC related controls and processes. When the time comes for your audit, your assessor will advise you on what documentation is required for the evaluation. The best way to be prepared is to document your self-assessment, controls, and remediation efforts in advance. This includes any systems and services provided to the DoD, so documentation that maps your service to DoD systems and details the controls involved in protecting data will be critical. 
  • Prepare for your CMMC assessment. To prepare for your assessment you will want to have a number of items ready for review (as directed by 
    1. Your self-assessment 
    2. Your System Security Plan (SSP) which documents your CMMC controls
    3. Your Plan of Action and Milestones (POAM) outlines any gaps in your infrastructure and operational processes and the actions required to fill them.

Key Takeaways

  • CMMC was created by the U.S. DoD in an effort to normalize cybersecurity preparedness.
  • CMMC applies to DoD contractors and subcontractors.
  • CMMC began partial application in 2020 but will apply to all government contracts by 2026.
  • CMM certification is based on the level of maturity the organization in question can display beginning at level 1 and going all the way to level 5.