Cybersecurity Maturity Model Certification (CMMC): A Guide

“CMMC is a unified standard that takes into account all of the various information security standards and best practices that need to be implemented within the DIB supply chain,” says Rhia Dancel, information security expert with NSF-ISR. “That’s to protect federal contract information (FCI) and Controlled Unclassified Information (CUI).”

Dancel’s NSF-ISR colleague and fellow information security expert Tony Giles describes it this way: “CMMC is potentially the first-ever mandated information security standard. The DIB and the Department of Defense are extremely interested in seeing these requirements met for organizations within their supply chain.”

The Cybersecurity Maturity Model Certification is a new certification model designed to ensure that DoD contractors have the necessary controls in place to protect sensitive data. This includes Confidential Unclassified Information and federal contract information.

Created by the Office of the Under Secretary of Defense for Acquisition and Sustainment, CMMC is mandatory for everyone doing business with the DoD. It consolidates existing cybersecurity control requirements, including ISO 27001, ISO 27032, NIST SP 800-171 and NIST SP 800-53, in order to create a more precise and uniform cybersecurity standard.

Previous security standards called only for self-verification in order to achieve compliance, but CMMC requires a third-party assessment from a certified assessor. CMMC rolling deadlines began in January 2021. By the end of 2025, all DoD contractors will be required to be CMMC certified. Note the word “all.” Not some, not most, but every single one.

Previous standards were based on firms in the Defense Industrial Base (DIB) doing their own information security verifications. That approach simply didn’t work in ensuring effective cybersecurity measures, in the DoD’s view. The result was that foreign adversaries were able to develop copies of U.S. military hardware using stolen information. As an example, DoD experts have pointed to new Chinese fighter aircraft designs that are clearly based on U.S. prototypes.

The lesson the DoD learned was that you need verified compliance to ensure effective cybersecurity measures, meaning compliance review and accreditation by a third party. CMMC was the solution created to eliminate vulnerabilities up and down the supply chain. It does this by ensuring that DoD contractors have robust cybersecurity measures in place that are third-party verified.

CMMC compliance will now appear on all new requests for proposals (RFPs) issued by the DoD. Firms without it will be disqualified from new contracts.

Dancel reminds DoD contractors that compliance with CMMC requirements will now be a fact of life for all firms and their supply chains, noting, “CMMC certification is stated right in the contract, and if the contractor does not have those requirements in place, they won't be considered.”

Giles adds, “I tell them, if you want to hang onto this Department of Defense contract, you need to meet the requirements.”

The DoD is also mandating certification renewal every three years.

Under the new CMMC requirements, contractors who are certified will have a distinct competitive advantage within the vast defense industrial base that includes more than 300,000 suppliers. Smart DoD contractors and their supply chains will look at the calendar and decide they want to be proactive and start the certification process.

Of course, as with any pending deadline, there will be others who put off certification until the last minute — for any number of reasons, both good and bad. What they may not realize is that waiting in this early phase will give proactive firms an edge in the DoD contract proposal process.

Another factor involves multiyear contracts. Companies that are CMMC compliant early in the process will be in a better position to secure these kinds of lengthy contracts, while firms that wait until the last minute will be facing a shrinking window of opportunity.

The greatest benefit, aside from new contracts and revenue, is that DoD suppliers who are CMMC certified will be better protected against cybersecurity attacks and data breaches. The CMMC process is happening against a backdrop of increasing cybersecurity attacks in the United States and around the world.

All firms that do business with the DoD will be required by the federal government to be CMMC compliant by the end of 2025. That means companies with contracts will need to fulfill all requirements under the Cybersecurity Maturity Model Certification program that is being implemented throughout the defense supply chain.

Cybersecurity processes and practices will be measured across five maturity levels under CMMC. This is in contrast to the previous NIST standard covering information security practices. NIST is the acronym for the National Institute of Standards and Technology, an agency within the Department of Commerce.

The kind of information a company handles and the type of work it does will determine the required certification level. All new DoD contracts will spell out the specific level of certification. If a supplier is not certified at the specified level, the firm cannot sign a contract with the DoD.

CMMC compliance will now be verified by CMMC Third-Party Assessment Organizations, referred to as C3PAOs. During the procurement process, maturity assessment levels will be determined. Maturity level 4-5 assessments will be conducted by government assessors, while maturity level 1-3 assessments will be handled by third-party private-sector assessors.

Assessments by assessors will cover both procedures for protecting Controlled Unclassified Information and practices used by personnel assigned to handle information security within the company. Firms that offer software-only solutions are being told that a one-dimensional approach will not suffice.

“For a company seeking CMMC certification, we don’t want them to be the weak link,” Dancel says. “We want them to be a secure link in the supply chain.” For her colleague Giles, that means educating organizations on information security and demystifying the information security experience.

Certification under the CMMC program is not required at the time a request for proposal is released, but a DoD contractor will need to be certified at the time a contract is awarded. RFPs specify the level at which a DoD contractor must be certified. Suppliers will need to at least meet Level 1 CMMC requirements.

DoD contractors have a time span during which they can begin and complete certification, which varies based on the specific contract. To gain certification, firms need to work with independent third-party assessment organizations accredited by the CMMC-AB.

The CMMC-AB is an independent body that authorizes and accredits CMMC Third-Party Assessment Organizations and CMMC Assessors according to DoD guidelines. DoD contractors specify their cybersecurity maturity level and schedule an evaluation with an assessor employed by a C3PAO.

The DoD supplier receives the appropriate certification from the designated assessor organization once they have met all requirements and completed the necessary process. The results of a contractor’s cybersecurity assessment are confidential and are stored in an internal DoD database.

DoD contractors are advised not to share their certification level with the general public, because this could invite cybersecurity threats. Companies looking to do business with the DoD are encouraged to be proactive and start the certification process early, given the risk of losing a contract or possible delays.

Dancel reminds organizations she works with that CMMC requirements will appear in all contracts starting in fiscal year 2026. “Organizations seeking CMMC certification need to develop a system security plan, conduct a self-assessment to NIST 800-171 standards, submit their score to the DoD’s SPRS platform and create a plan with target dates to achieve a maximum score of 110.”

Giles suggests companies ask themselves basic information security questions. “How are you going to document what you’re doing so it makes sense? Do you have a system security plan? Have you done a risk assessment? Have you closed your plan of actions and milestones? Start with your system security plan and build from there.”

CMMC has a framework that includes 17 domains based on cybersecurity best practices. Each domain is broken down into practices and processes mapped across five maturity levels. Within each domain, practices are aligned to a specific set of capabilities.

These are the 17 domains in the CMMC model: Access Control (AC), Identification and Authentication (IA), Physical Protection (PE), Incident Response (IR), Audit and Accountability (AU), Maintenance (MA), Risk Management (RM), Awareness and Training (AT), Media Protection (MP), Security Assessment (CA), Configuration Management (CM), Personnel Security (PS), System and Communications Protection (SC) and System and Information Integrity (SI), Asset Management (AM), Recovery (RE) and Situational Awareness (SA).

The five CMMC maturity levels include defined processes and practices. Not all information is equally sensitive, and employees may have different levels of access. To allow for these variables, CMMC measures the following:

Under the new CMMC requirements, contractors who are certified have a distinct competitive advantage within the defense industrial base (DIB), which includes an estimated 350,000 suppliers. Proactive defense contractors will start the certification process even before a request for proposal (RFP) is initiated.

When it comes to multi-year contracts, companies that are CMMC compliant early in the process will be in a better position to secure these contracts. Firms that wait until the last minute will likely have fewer contract opportunities.

Aside from contracts and revenue, the largest benefit is CMMC certified suppliers will be better protected against cybersecurity attacks and data breaches, having implemented network information security protocols consistent with industry best practices. This benefit can further protect an organization's reputation and could extend to contracts outside of the DoD.

Dancel offers her perspective: "I think many organizations are already inherently protecting their information and data. So, adding this other layer of technical controls and documentation will only enhance the security measures they have already implemented."

Contractors who plan on continuing to work with the DoD recognize CMMC requires a higher level of cybersecurity measures. The rigorous process will also have the effect of forcing out suppliers, either not interested or unable, to meet the enhanced information security requirements mandated by CMMC.

Some suppliers will lose the opportunity to bid on DoD contracts, but for savvy contractors willing to undertake certification steps, those opportunities will still be available. Also, as with any new, large-scale, multi-year government program, changes will be a reoccurring part of the process, especially in the early part of the five-year rollout.

Motivated DoD suppliers will stay informed about CMMC, take changes in stride and be proactive in order to achieve early certification. These organizations recognize as contracts with CMMC requirements are announced and RFPs are published, early CMMC certification will open doors that may well be closed to their non-compliant competitors.