CMMC - Cybersecurity Maturity Model Certification 101

Defense contractors face more compliance. This time, it is cyber security. The Cybersecurity Maturity Model Certification (CMMC) is a compliance standard long in the making. Built off DFARS (Defense Federal Acquisition Regulation Supplement) and the NIST 800-171 framework, CMMC will require defence suppliers to meet and maintain a number of security controls depending on the type of data they have access to or store. The CMMC will soon become an obligatory requirement for any contractors or vendors collaborating with the DoD. Also, there are some significant plans to further spread the measures to all government contractors - for civilian acquisitions. 

Before the CMMC: Helpful Background Terms

In 2010 the federal government established a comprehensive program for managing   Controlled Unclassified Information (CUI) as well as defining sensitive government information. 

Since 2018 the DoD has obliged their contractors to implement the requirements contained in NIST SP 800-171, or DFARS (Defense Federal Acquisition Regulation Supplement). The goal was to handle and safeguard the CUI more consistently and clearly with the help of a unified standard. However, organizations that required compliance with NIST 800-171 could get it through self-certification. 

CMMC - Cybersecurity Maturity Model Certification

After a series of data breaches caused by growing supply chain attacks, the Department of Defense started creating the CMMC program in 2019. Prior to that, the primary cyber security control method was self-assessment, and it appeared to be ineffective under the current threatening circumstances. Now, the DoD relies on a third party to assess cyber security maturity models. The CMMC is believed to be an effective supply chain risk management program.

The Cybersecurity Maturity Model Certification (CMMC) is a compliance standard aimed to safeguard Federal Contract Information (FCI) and protect Controlled Unclassified Information (CUI). The DoD uses a broad definition of the CUI, covering all data created or possessed by the government or on its behalf.

The CMMC requirements are scheduled to appear in the DoD's requests for proposals (RFPs) from September 2021, and by 2026 all contracts will include these requirements.

The CMMC's Levels

The CMMC utilizes processes, practices, and focus areas to assess contractors' capabilities. The processes and practices depend on the certification level a vendor needs to comply with to qualify. Here is the CMMC levels overall scheme:

  • LEVEL 1 "Basic Cyber Hygiene" contains 17 practices;
  • LEVEL 2 "Intermediate Cyber Hygiene" has 17 practices from LEVEL 1 plus 55 more;
  • LEVEL 3 "Good Cyber Hygiene" adds 58 to the previous 72 practices;
  • LEVEL 4 "Proactive" contains 26 more practices;
  • LEVEL 5 "Advanced / Progressive" contains all security practices from level 1 through level 4 and 15 more.

Thus, there are currently five levels with 171 digital and physical security practices or controls and each preceding level is included in the next one. The CMMC framework consists of 17 domains (Access Control (AC), Incident Response (IR), Risk Management (RM), etc.) across the five levels.

The DoD RFPs will specify the certification level required. However, no RFPs will go below Level 1, where the controls include common cyber security measures such as utilizing antivirus software, etc. Levels 1 and 2 cover the controls aimed to safeguard Federal Contract Information (FCI) and serve as a transition to the CUI protection. Meanwhile, all DoD suppliers or contractors with access to CUI will be obliged to get at least Level 3 certification.

How to Become CMMC Compliant?

Deep Analysis of NIST and CMMC Requirements

The CMMC requirements will start functioning from fall and fully cover the DoD's areas by 2026. Vendors need to take the terms into account to do everything necessary to comply with the NIST standards. There is a comprehensive guide for the DoD's contractors and suppliers, covering NIST SP 800-171 Rev. 1 - enough to get CMMC Level 3.

Reach Out to MBS Tech - a Reliable Managed Security Service Provider (MSSP)

Many contractors who want to work with the DoD may lack resources and practices to meet the CMMC standards. If you don't have any experience of dealing with and meeting NIST requirements, the most efficient way to get CMMC compliant is by utilizing expert help. Our professional team is ready to deliver seamless CMMC consultancy and audit as well as other cyber security services to easily qualify for the desired DoD projects and much more. 



For your convenience, we’ve divided our blog on cyber security into several categories so that you can find necessary articles fast and effortlessly. Just choose the category that evokes your interest and enjoy reading.