Skip to content

Resources

What is CMMC? Cybersecurity Maturity Model Certification Explained

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework for US defense contractors. It combines different standards and requirements to measure the cybersecurity maturity of the defense supply chain.
 
The Defense Industrial Base (DIB) has long been required to implement adequate measures to protect any sensitive government information it handles on its networks. These requirements are always evolving to defend against changing security threats and, over the past 10 years, have grown from general practices to obligatory compliance with entire frameworks, such as the NIST 800-171 requirements, for when contractors handle controlled unclassified information (CUI) on their networks. 
 

In 2020, the US Department of Defense (DoD) released the first version of the CMMC framework. In 2021, the DoD initiated an internal review of the CMMC program, resulting in the publication of CMMC 2.0. 

Over the next few years, those defense contractors in the DoD supply chain who process federal contracting information (FCI) or CUI will be required to obtain CMMC certification, in order to demonstrate the appropriate level of cybersecurity maturity for their respective DoD contracts. 

The CMMC is a framework of controls for cybersecurity implementation, designed to increase resilience against cyber-attacks throughout the DIB. This guide explores the CMMC program and the process for certification. 

What is a maturity model?

A maturity model is a way of measuring an organization’s capability to progress and improve in a specific area. Maturity models act as a series of benchmarks for organizations to measure their progression. As a maturity model, the CMMC includes best practice cybersecurity processes from a range of frameworks and standards. It also outlines the cybersecurity capabilities held by organizations of different maturity levels. This helps defense contractors benchmark their cybersecurity capabilities. 

A maturity model ensures that the CMMC scales alongside DIB organizations and the cybersecurity requirements of their respective contracts. The level of CMMC certification needed will differ depending on the type of information and the organization’s place in the supply chain. Factors could include: 

  1. Criticality of the associated mission capability;
  2. Type of acquisition program or technology;
  3. Threat of loss of the FCI or CUI;
  4. Potential for and impacts from exploitation of information security deficiencies; and
  5. Other relevant policies and factors, including Milestone Decision Authority guidance. 

The three maturity levels of CMMC 2.0

Where there were once five levels in the initial version of the program, under CMMC 2.0 the security practices are spread across just three levels, each designed to assess an organization’s implementation of cybersecurity and the maturity of its processes.

Each level reflects the maturity of the contractor’s cybersecurity processes, practices, and infrastructure. The levels are cumulative, so each one builds on the previous level. For example, to achieve Level 2, compliance must be held for the previous level of CMMC too. 

The three maturity levels of CMMC 2.0 are: 

  • Level 1 | Foundational (15 requirements)
  • Level 2 | Advanced (97 requirements)
  • Level 3 | Expert (121 requirements)
In practice, the three maturity levels are aligned with relative cybersecurity risks, cost of implementation and the type of sensitive information processed.
 
Level 1 focuses on safeguarding Federal Contract Information (FCI). It is modelled after the list of 17 controls in FAR 52.204-21. 
 

Level 2 is targeted for organizations who process Controlled Unclassified Information (CUI). The requirements under this level align precisely to those laid out under NIST 800-171.  

Level 3 is designed for organizations who work on very high-priority DoD programs and for protecting CUI from Advanced Persistent Threats (APTs). Beyond complying with the 97 requirements of Level 2 (i.e., NIST 800-171), contractors and applicable subcontractors must verify through DoD assessment that all security requirements from NIST SP 800–172 have been implemented. 

“Familiarize yourself first with what constitutes FCI or CUI and identify where it is processed and stored on your network.”

CMMC practices and processes

Each CMMC maturity level is a benchmark for an organization’s cybersecurity capabilities. The higher the maturity level, the higher the protection of sensitive information. This is reflected in the practices and processes outlined in each maturity level.

CMMC processes

The maturity of an organization’s cybersecurity processes is outlined in the CMMC. This includes the policies and procedures in place to protect sensitive information.

The lowest level just requires documentation of policies, whereas the higher levels require in-depth management and optimization of processes. 

  • CMMC Level 1 does not assess processes, as organizations can follow Level 1 practices without relying on documentation. 

  • CMMC Level 2 requires a higher management of cybersecurity processes, including a project plan, ring-fenced resources and training. 

  • CMMC Level 3 requires organizations to review and measure their security controls over time to determine their effectiveness, taking corrective action where necessary. 

CMMC requirements

Each maturity level of the CMMC highlights core cybersecurity practices. There are over 121 requirements in total across the three maturity levels. 

  • CMMC Level 1 requires basic cyber hygiene, including steps taken to safeguard Federal Contract Information (FCI). There are 15 Level 1 requirements.      

  • CMMC Level 2 requires the implementation of all 97 NIST 800-171 requirements.  
  • CMMC Level 3 includes enhanced cybersecurity practices to protect CUI from Advanced Persistent Threats (APTs). In addition to meeting CMMC Level 2, contractors must implement 24 specific requirements from NIST SP 800-172. 

Why is CMMC important?

Before the introduction of the CMMC, all contractors handling sensitive government data and information (i.e., CUI) were expected to adhere to the criteria set out in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The criteria required adherence with the cybersecurity controls of NIST 800-171, which the DIB could self-attest to be compliant with. 

However, the previous model of self-attestation was deemed insufficient to protect the defense supply chain against potential cyber breaches and IP theft. The economic cost of malicious cyber activity is estimated at $57b per annum, and cyber breaches can undermine US economic and national security. 

There has been a rapid increase in sophistication and operational security capabilities demonstrated by attackers in recent years, and defense contractors are experiencing significant and persistent attacks on their networks and systems. The CMMC was launched to improve the cybersecurity capabilities of the entire Defense Industrial Base (DIB). It ensures contractors have best practice processes in place to protect sensitive information on behalf of the government. 

Who will need CMMC certification?

With the exception of contracts for commercially available off-the-shelf (COTS) items, CMMC will apply to all contractors in the DoD supply chain who use unclassified non-federal information systems to store, process or transmit Federal Contracting Information (FCI) or Controlled Unclassified Information (CUI). It will affect suppliers at all tiers of the DIB, from prime contractors to SME contractors as well as foreign suppliers. Both prime and subcontractors that process CUI on behalf of the government will need certification. The Department of Defense (DoD) will state the required CMMC level in contract solicitations. 

“If you’re a subcontractor, seek advice and guidance from the prime. The Defense Industrial Base Sector Coordinating Council (DIB SCC) runs the CyberAssist website, containing lots of valuable resources to help the DIB enhance its cyber posture.” 

Advice may also be found on the Project Spectrum website. 

When will CMMC be required? 

Over the coming years, CMMC requirements will start to show up in DoD Requests for Proposals (RFPs) and Requests for Information (RFIs). Contractors will need to be certified at the required CMMC level by the time of contract award and prior to exercising option periods. 

The Office of the Under Secretary of Defense for Acquisition and Sustainment has set out a roadmap for full implementation of CMMC within the next 3 years. Defense contractors will need to evidence the level of maturity that is required in their contract through certification, and any flow-down CMMC requirements will apply to subcontractors. 

How will contractors become CMMC certified?

A CMMC self-assessment will apply to those companies that are subject to CMMC Level 1 and required to protect the information systems on which FCI is processed, stored or transmitted. A CMMC self-assessment should be completed using the CMMC Assessment Guide. CMMC Level 2 could require a self-assessment, but the DoD expects that most contracts at this level will require certification from a non-DoD third party. Contractors requiring Level 3 certification should leverage their Level 2 certification and focus their compliance efforts on adherence with the additional NIST SP 800-172 requirements, which is assessed by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

“Don’t wait until an RFI or RFP comes out to start the process of understanding your CMMC compliance. Start today by establishing your compliance baseline to identify gaps and define your compliance priorities and efforts from there.”

CMMC Level 1 certification process

To gain CMMC Level 1 certification, defense contractors will be required to formally self-assess their compliance with FAR 52.204-21, report Self-Assessment information in the DoD Supplier Performance Risk System (SPRS), and annually affirm continuing compliance in the SPRS. 

CMMC Level 2 certification process

To achieve CMMC Level 2 certification, an organization must meet the requirements outlined in Levels 1 and 2. The requirements are taken from NIST 800-171 and focus on safeguarding Controlled Unclassified Information (CUI) in contractor systems and networks. There are two ways of certifying compliance at this Level: self-assessments and third-party assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs). Certifications are valid for three years, and defense contractors must affirm compliance in the SPRS following each assessment, POA&M closeout, and reaffirm annually. 

CMMC Level 3 certification process

Level 3 is the most advanced level and so requires evidence of a mature cybersecurity model which proactively negates Advanced Persistent Threats (APTs). Defense contractors leverage CMMC Level 2 certifications and the DIBCAC assesses compliance with the additional NIST SP 800-172 requirements. CMMC Level 3 assessments are valid for up to three years.  

 

“If you’re aspiring to be CMMC Level 3 certified, use NIST 800-172 to start identifying and implementing the enhanced controls required at the higher levels of CMMC.” 

The benefits of CMMC certification

CMMC certification will become increasingly important as it is rolled out over the next few years. It will soon become an integral part of winning government contracts. Independent certification at Levels 2 and 3 verifies that an organization complies with best practice cybersecurity processes and practices when the DoD determines that more enhanced cybersecurity is required. Government agencies or prime contractors can be assured that a prospective contractor will safely store and process sensitive information.  
 

CMMC is designed in a way to scale with the organization’s maturity level, so can be used to benchmark and improve an organization’s cybersecurity capabilities. These improvements make information more secure, enhancing network and system best practices. The consequences of a cybersecurity breach can be severe, so organizations benefit from improving their processes and practices, as per the CMMC benchmark. 

Does CMMC place an additional cost burden on contractors?

The DoD does not approximate the cost of implementing the security requirements in CMMC Levels 1 and 2, on the assumption that its contractors and subcontractors should have already implemented them, since compliance with those standards predated the CMMC Program under FAR 52.204-21 and DFARS 252.204-7012. 

Besides the potential cost of engaging a C3PAO, costs involved in meeting the standards required and preparing for a CMMC assessment will depend on a number of factors. The maturity of an organization’s existing cybersecurity infrastructure, the size and complexity of the organization, the volume and scope of CUI and FCI handled, and any consultancy or outsourcing of services involved in preparation for the assessment can all represent additional costs. 

The future of CMMC

CMMC has started to be rolled out in phases: 

  • Phase 1: Self-assessments will be allowed for CMMC Level 1 and CMMC Level 2, but DoD has discretion to require CMMC Level 2 Certification Assessments for applicable DoD solicitations and contracts. Contractors must complete CMMC Level 1 and Level 2 self-assessments to be eligible for award of contracts. 

  • Phase 2: Six months after Phase 1 begins, DoD will begin requiring third-party assessments for CMMC Level 2. DoD may begin including CMMC Level 3 in solicitations and contracts. 

  • Phase 3: A year after Phase 2 begins, third-party assessments will be required for applicable DoD solicitations and contracts prior to award at Levels 2 and 3, but DoD has discretion to delay CMMC Level 3 Certification Assessments to an option period. 
  • Phase 4: Full implementation after one year from Phase 3 commencing. CMMC requirements must be met prior to award and prior to DoD exercising options. 

How can you prepare for CMMC Compliance?

You may be asking, ‘What CMMC level do I need?’. This will be made clear in the solicitation for the contract you are bidding on. You will then need to set out a roadmap to achieve the required CMMC level by the time of contract award, and the first step is to assess your baseline compliance. 

 Nipper can accurately assess your cybersecurity compliance against CMMC security practices, for levels 1 and 2, detect configuration drift and determine the security of every router, switch and firewall in the network on a daily basis, providing pass/fail evidence reports and risk prioritized remediation advice for non-compliances. Learn more about how Nipper can help your organization to achieve CMMC compliance. 

Assess CMMC compliance with Nipper

Nipper is a firewall and network auditing tool that can streamline compliance with CMMC. Nipper can accurately assess your cybersecurity compliance against CMMC security practices, levels 1 and 2. Create impact reports to prioritize non-compliance issues and address emerging risks efficiently. Reports provide detailed remediation advice and exact technical fixes for every risk found.