CMMC compliance explained: what is the Cybersecurity Maturity Model Certification?

October 15, 2020  |  Mark Stone

This blog was written by a third party author

With an escalating cybersecurity threat risk that doesn’t appear to be slowing down, the Department of Defense (DoD) has taken proactive measures in creating the Cybersecurity Maturity Model Certification (CMMC). The CMMC will soon be a requirement for any defense contractors or other vendors that are, or wish to be, working with the DoD . 

What is CMMC compliance?

The primary goal of the Cybersecurity Maturity Model Certification is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD supply chain. The DoD’s definition of CUI refers to any information or data created or possessed by the government or another entity on the government’s behalf. The interpretation of data is broad here — and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data.

The CMMS framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor’s capabilities. 

The requirements for CMMC certification, broken into practices and processes, are dependent on the level of certification. Each certification level builds upon the requirements from levels beneath it; for example, a level 3 certification would include requirements for levels 1 and 2. 

Here is a brief description of each certification level:

Level 1 demonstrates “Basic Cyber Hygiene” – DoD contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 rev1.

Level 2 demonstrates “Intermediate Cyber Hygiene” – Here, DoD contractors must implement another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls.

Level 3 demonstrates “Good Cyber Hygiene” – To achieve level 3 certification, the final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be implemented

Level 4 demonstrates “Proactive” cybersecurity – In addition to the controls in levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented

Level 5 demonstrates “Advanced / Progressive” cybersecurity – To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new  “Other” controls

To achieve each certification level, contractors and vendors must meet the requirements for practices and processes associated with that level across 43 different capabilities spanning 17 capability domains.

The capability domains are as follows:

  • Access Control (AC)
  • Incident Response (IR)
  • Risk Management (RM)
  • Asset Management (AM)
  • Maintenance (MA)
  • Security Assessment (CA)
  • Awareness and Training (AT)
  • Media Protection (MP)
  • Situational Awareness (SA)
  • Audit and Accountability (AU)
  • Personnel Security (PS)
  • System and Communications Protection (SC)
  • Configuration Management (CM)
  • Physical Protection (PE)
  • System and Information Integrity (SI)
  • Identification and Authentication (IA)
  • Recovery (RE)

Who does CMMC directly affect?

Any contractor or vendor doing business with the DoD is affected, and will eventually be required to obtain a CMMC certification. The definition of contractor or vendor includes all suppliers across every tier of the supply chain, small businesses, foreign suppliers and commercial item contractors.

The certification process is handled by the CMMC Accreditation Body (CMMC-AB), who coordinates directly with the DoD. Together, they have developed procedures to accredit independent CMMC Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate and certify CMMC levels.

Under the new guidance, all newly awarded contracts to any DIB vendor or subcontractor will have to demonstrate CMMC compliance. Essentially, this applies to any organization that handles CUI.

The only companies exempt from CMMC certification are those that solely produce Commercial-Off-The-Shelf (COTS) products.

What steps should businesses take who work with the DoD?

It’s important to clarify that although the CMMC requirement begins in 2020/2021, all DoD suppliers have been given sufficient time with which to obtain certification — until 2025, in fact.

This buffer is valuable, as the road to CMMC certification is not easy, fast, or cheap. First, the waiting period between application and certification is at least six months. Plus, estimates for the average ongoing cost of CMMC compliance is approximately  $3,000 per employee per year. Initial one-time implementation costs can range from $500 to $1,000 per employee. 

The Cybersecurity Maturity Model Certification states that contractors can choose to achieve a specific level for its entire enterprise network or for particular segments where the information to be protected is handled and stored.” However, DoD solicitations will specify what maturity level the supplier needs to be at in order to respond to the request for proposal. Therefore, it is essential to conduct an assessment of the business and also determine what (or if) CUI is part of the equation.

Understanding the CMMC requirements

DoD contractors' most imminent step is to learn the CMMC's technical requirements and prepare for certification, and more importantly, long-term cybersecurity agility. Details regarding the CMMC assessments process and how it may be challenged are expected soon.

DoD contractors with a head start on evaluating their procedures, practices, and any possible gaps are in a great position to meet the CMMC contract requirements.

Once they understand the requirements, contractors should start their journey by clearly documenting all practices and procedures that already meet CMMC guidelines. Another good step is to plan for and implement additional procedures and practices to obtain the highest certification level possible.

One final and important note: unlike the NIST 800-171, for which a self-assessment was sufficient, CMMC requires an audit by a CMMC third-party assessing organization (C3PAO). That said, any organizations that have planned for or are operating under NIST standards are in a stronger position for certification.

Are there security companies that specialize in CMMC preparedness?

Many DoD contractors or suppliers may lack the in-house resources and IT staff required to meet the CMMC levels of cybersecurity. Those that do have the resources can look to NIST’s Self Assessment Handbook – 162, created specifically for U.S. DoD contractors providing products and services to the DoD.

However, the handbook only covers NIST SP 800-171 Rev. 1, which, based on the certification levels, is only valid up to CMMC Level 3.

DoD Contractors without the expertise to meet the NIST requirements may outsource the requirements to a third-party CMMC consultant offering CMMC compliance services. In the U.S., there are many qualified and experienced Managed Security Service Providers (MSSP) that specialize in compliance services and monitored cybersecurity for DoD contractors. Qualified MSSPs can perform the initial assessment and help the company achieve the requirements necessary for passing a CMMC Audit.

The CMMC-AB has a Marketplace where companies in the CMMC ecosystem will be listed.  Registered Provider Organizations (RPO), who can help organizations get ready for certification by the C3PAO by providing consulting services, will be included in the marketplace.   

For many DoD contractors, the most cost-effective path to meeting CMMC cybersecurity requirements is outsourcing the task to a Managed Security Service Provider (MSSP) that specializes in CMMC Consulting. DoD contractors are ultimately responsible for ensuring CMMC cybersecurity requirements are met, so choosing a trustworthy MSSP is essential.

In most cases, especially for those contractors that lack in-house resources, outsourcing this cybersecurity work to a qualified provider should save a lot of time and money.

Share this with others

Featured resources



2024 Futures Report

Free trial Get price