CMMC is a framework for cybersecurity standards required to be met at one of the given five levels by anyone who works or wishes to work with the DoD. Independent assessors will verify whether you have met these standards and then give you a certification. All future DoD contracts will require you be certified at one of the five levels. 

CMMC took effect as an interim rule on 30th November 2020. Although the rule is already effective, it still needs to undergo Congressional review. In the meanwhile, limited number of contracts have CMMC requirement in 2021. The number, however, is steadily increasing till 2025. The current plan is to have all DoD contracts performed by CMMC certified companies 2026 onwards. 

Contractors must be certified by an independent auditor known as a CMMC Third Party Assessment Organization (C3PAO). The auditor is authorized and accredited by the independent CMMC Accreditation Body. Contractors cannot assess their own business or self-certify. Contractors can find and select an auditor through a central CMMC “Marketplace”. 

Certification covers five levels. Contractors must achieve certification at each level in sequence (from 1 to 5) before applying for assessment at the next level. The fact a contractor has received certification is public knowledge, but which level they have achieved will not be made public but will be known to the Department of Defense.

The measures required for certification are categorized into 17 broad areas of cybersecurity known as domains. Each domain is sub-divided into capabilities (43 in total) and then into 171 specific measures known as practices. 

Although the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 rev1. Additional practices and processes are drawn from other standards, references and sources, such as: 

– NIST SP 800-53 

– Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense” 

– Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2 

CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels. 

CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending on where the protected information is handled and stored. 

CMMC-AB estimates the certification process will take at least six months for organizations to get certified. 

A CMMC certificate is normally valid for three years before re-assessment is required. 

What are the five CMMC maturity models? 

The CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around: 

– Level 1: Safeguarding Federal Contract Information (FCI) 

– Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI) 

– Level 3: Protecting CUI 

– Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs) 

Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2. CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5 processes and 171 practices included in the framework. 

Download our CMMC ebook for the full list of requirements here

The CMMC program, released on January 31st, 2020, officially went into effect on November 30th, 2020. By October 20th, 2025, all DoD suppliers must carry this certification. Without this certification, organizations will ultimately no longer be able to compete for DoD contracts. 

The CMMC is divided into five levels so that DoD contractors are not expected to comply with requirements that are not necessary to protect the type of information they handle. A contractor at the very bottom of the supply chain will most likely be required to certify only to Level 1, while a contractor with access to military base construction projects will be required to certify to one of the highest two levels. To determine which CMMC level a contractor should be working toward, it’s important to inventory all systems in order to find out where FCI and CUI data is stored and how. Those contractors that don’t have the capacity to complete this first step in-house should partner with a managed services provider (MSP) offering CMMC readiness assessments.