The Cybersecurity Maturity Model Certification (CMMC) is a mandatory initiative by the Department of Defense (DoD) impacting DoD contractors. The CMMC is a framework and standard for cybersecurity as part of the Defense Industrial Base (DIB).
Led by the Office of the Assistant Secretary of Defense for Acquisition, the CMMC shores up a gap created by the National Institute of Standards and Technology 800-171 self-assessment by mandating third-party certification. The DoD found when auditing defense contractors that they were not compliant with NIST SP 800-171, as the self-assessment left too much interpretation.
With CMMC, a certified assessor must grant the certification after reviewing specific standards and controls in the framework. Controlled Unclassified Information (CUI) must be protected under both mandates, but with CMMC assessments there is a second party checking to make sure adequate controls are in place.
There are five CMMC certification levels for compliance:
CMMC Level 1 – Basic Cyber Hygiene (17 controls): Basic cybersecurity appropriate for small companies.
CMMC Level 2 – Intermediate Cyber Hygiene (72 Controls – contains level 1 controls): Contains universally accepted NIST SP and CSF cybersecurity best practices.
CMMC Level 3 – Good Cyber Hygiene (130 Controls – contains level 2 controls): Includes coverage of all NIST 800-171 controls and additional CMMC components.
CMMC Level 4 – Proactive (156 Controls – contains level 3 controls): Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.
CMMC Level 5 – Advanced/Progressive (171 Controls – contains level 4 controls): Includes highly advanced cybersecurity practices and cybersecurity standards.
The CMMC requirements build upon each other from basic through advanced, helping to lead an organization through the levels of cybersecurity. The cybersecurity maturity and level of program sophistication of a company has a great deal to do with how easy it will be to adopt the controls laid out by the CMMC.
The bottom line, however: if an organization wants to do business with the federal government and they are exposed to CUI, they will obtain the CMMC certificate in order to bid on RFP and RFI business.