CYBERSECURITY MATURITY MODEL CERTIFICATION

The United States Department of Defense implemented the Cybersecurity Maturity Model Certification (CMMC) to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB). 

Maturity Model Maturity models are a collection of best practices, the degree of adherence that progresses organizations along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification. 

Certifying to a maturity model means that a company or organization has committed to improving its processes and practices within a model’s domains to a sustainable, measured high-performance level. 

Cybersecurity Maturity Model Certification is a program initiated by the United States Department of Defense (DoD) to measure defense contractors’ capabilities, readiness, and sophistication in cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as NIST, FAR, and DFARS.

At a tactical level, the primary goal of the certification is to ensure the safeguard and security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal and non-federal contractors.

As of September 2020, DoD began issuing a limited number of requests for information that contain CMMC specifications, and it is expected that CMMC will be required of all new DoD requests for proposals beginning in 2026.

The certification applies to “prime” contractors who engage directly with DoD and subcontractors who contract with primes to fulfill and execute those contracts.

Although some level of certification will be a requirement of every contract beginning in 2026, DoD has indicated that they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification and some that will require higher levels of certification. CMMC applies to DoD prime contractors and subcontractors. Also, to some new contracts starting in 2020 and all contracts beginning in 2026.  

The progressive model covers advancing cybersecurity processes and practices, resulting in a certification level of one of the following:

• Level 1 Foundational - Performed Basic Cyber Hygiene
• Level 2 Advanced - Documented and Managed, Good Cyber Hygiene
• Level 3 Expert - Reviewed, Optimized, and Advanced Proactive

The Cybersecurity Maturity Model Certification is based on an ascending level of preparedness from:

• Level 1: Encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21.
• Level 2: Encompasses the security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].
• Level 3: Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172 [6].

The ultimate goal of CMMC is to ensure the protection of two types of information from disclosure or unauthorized use:

• Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526.
• Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public.

Each level has a set of processes and practices and a qualifier or “goal” related to the applicable domains at that level. Federal prime contractors and subcontractors are assessed for their adherence to the Processes and Practices relating to each applicable Domain at each model level.

DoD created the Cyber Accreditation Body (AB), a non-profit, independent organization that accredits Third-Party Assessment Organizations (3PAOs) in addition to individual assessors. DoD has established a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification. 

Product Mapping to CMMC Domains

Encryption can stop threats to CUI and FCI  alerting on files, folders, accounts, and domains. Built-in rules or custom actions can automatically shut down access and remediate exposure at any point in the kill chain. 

DoD created the Cyber Accreditation Body (AB), a non-profit, independent organization that accredits Third-Party Assessment Organizations (3PAOs) and individual assessors.  DoD has established a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.

The Cybersecurity Maturity Model Certification (CMMC) lays a framework for implementing cybersecurity policies and practices for organizations throughout the Defense Industrial Base (DIB). 

By fiscal year 2026, all new defense contracts will contain CMMC certification requirements, and every vendor in the national defense supply chain will need to become CMMC certified. 

The purpose of CMMC certification is to protect CUI and ensure that all defense contractors implement basic cyber hygiene measures.  

Since 2016, the U.S. economy has lost upwards of $109 billion due to malicious cyberactivity. The loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base poses a risk to national security. Cybercrimes continue to evolve; therefore, the U.S. Department of Defense (DOD) has developed the CMMC Standards to increase security across the defense supply chain.

CMMC Cybersecurity Maturity Model Certification is part of the Defense Federal Acquisition Regulation Supplement (DFARS) and is a requirement for contract awards. The DOD released version 1.0 of the CMMC standards on January 31, 2020. The DOD released version 2.0 of the CMMC standards on December 26, 2023. Organizations must begin reviewing their cybersecurity processes and improving their capabilities to align them with these standards. Prime contractors must start preparing their supply chain to develop programs to meet these standards. 

The 110 security requirements included in the National Institute of Standards and Technology (NIST) SP 800-171 Rev 2 are also part of the CMMC Levels 1-3 certification requirements. The new standards also incorporate practices and procedures from other sources, including: 

• CERT Resilience Management Model (CERT RMM) v1.2
• CIS Controls v7.1
• Draft NIST SP 800-171B
• FAR Clause 52.204-21
• NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
• NIST SP 800-53 Rev 5

The CMMC certification standards unify these standards into one universal framework for defense contracts. The new standards introduce the need for third-party assessments to certify CMMC compliance with mandatory procedures, capabilities, and practices. The standards also introduce a three-level certification model. Each level increases the number of cybersecurity practices and policies an organization must use. 

The DOD Requests For Information (RFIs) and Requests For Proposals (RFPs) will specify the required level of certification. By unifying and improving upon the standards already in place, the CMMC will make contractors and subcontractors more agile and able to prevent and respond to evolving cybersecurity threats.

Anyone in the defense contract supply chain must be certified to CMMC. The DOD estimates the roll-out of CMMC standards will affect 300,000 companies. Most contracts will require a certification between Levels 1 and 2 to qualify for government contracts.

The CMMC standards will apply to DOD contractors that deal with CUI. The categories of information the Executive branch protects include:

• Critical Infrastructure
• Defense
• Export Control
• Financial
• Immigration
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• NATO
• Nuclear
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax

Even if a DIB company doesn't have or make CUI, if it has Federal Contract Information (FCI), it must meet FAR Clause 52.204-21 and be certified at a minimum of CMMC Level 1.

The certification requirements apply to suppliers at all tiers along the supply chain. So, a subcontractor for a DOD contract will also need a CMMC certification. Subcontractors won't necessarily need certifications at the same level as the prime contract. Instead, the level will depend on the type and nature of information flowed down from the prime contract. 

The only exception to CMMC certification requirements within the DIB sector is for companies that solely produce Commercial-Off-The-Shelf (COTS) products.

Those in the DIB, such as aerospace manufacturing, will need CMMC certification. Any subcontractor at any tier in the supply chain will need at least a Level 1 Certification to be included in DOD subcontracts. Also, software or service providers, such as logistics, IT, or communications companies contributing to the DOD supply chain, are subject to the new CMMC standards. 

To meet each certification level, a contractor must achieve the requirements for both the practices and processes associated with the following capability domains: 

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Management (RM)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI)

The prime contractor must ensure that any subcontractors are CMMC certified as required by the DOD. The level of certification will be specified in your contract, depending on the information you share with subcontractors. The level of certification required for a particular contract will be specified in the DOD's RFIs and RFPs.

Level 1

• The minimum CMMC certification level requires basic cyber hygiene and only requires that processes are performed. The 17 practice requirements are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. They are equivalent to 17 practices drawn from NIST SP 800-171 Rev 2. The practices include requiring antivirus software and sanitizing or destroying any media containing FCI before disposal or reuse. If an organization is already required to protect FCI, it should have all the practices to meet CMMC Level 1.

• Since these standards are already in place for federal contractors, a business aiming for Level 1 certification will usually only need to receive certification from a third-party assessor organization. Evaluators will check that an organization performs the 17 practices and will not require documented information on processes or assess process maturity. 

Level 2

• The second level of CMMC requires good cyber hygiene and requires documented information on all CMMC practices and policies. Documented information is a crucial step to achieving Level 2 process maturity. Evaluators will also require the organization to have a policy encompassing all activities. A Level 2 certification indicates that an organization has achieved a " Managed " process maturity designation."
   
• Level 2 adds 93 new practices to the 17 required at Level 1 for a total of 110 practices. The practices deal with the protection of CUI and include the practices listed in NIST SP 800-171 Rev 2. These practices include policies about privilege levels for account access, a plan for incident responses, testing its incident response capabilities, and marking all media with CUI indicators and distribution limitations. Since a Level 2 certification incorporates all the procedures necessary to safeguard CUI, an organization that regularly deals with CUI will benefit the most from earning a Level 2 certification. 

Level 3

• This level incorporates proactive practices to enhance detection and response capabilities. At this level, an organization becomes better equipped to respond to cybersecurity incidents and can prevent them from occurring. This level also requires that an organization regularly reviews and measures its practices for effectiveness and compliance with standards, and the review results are shared with higher-level management.
   
• The 110 practices in Level 3 incorporate those in Levels 1 and 2, plus 25 practices from the NIST SP 800171B. Some practices required in Level 3 include practical exercises and training to teach employees to respond to current threat scenarios and use a security operations center with 24/7 response capabilities. When certified at Level 3, an organization must have practices to detect and address changing tactics, techniques, and procedures (TTPs) used by Advanced Persistent Threats (APTs). The practices introduced at Level 3 enhance the level of protection for CUI and generally create more sophisticated cybersecurity systems.