Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)


Continuous surge in Information Theft is a cause for concern for all sect of the digital world, whether it is corporate, not for profit or Government bodies. We are experiencing rising threats coming from multiple entities from state sponsored targeted attacks, organized crime groups, individual hackers, to insiders. These entities are threating to access everything from personal to state-level coCMMCnfidential information. Government bodies are a relentless target of such threats primarily due to the sensitivity of the data involved. 

The US Government is working with Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD) to better protect digital assets. In comes the Cybersecurity Maturity Model Certification (CMMC), a mandatory compliance for DoD contractors to enhance and sanitize their cybersecurity posture. 

At a high level, CMMC is a collection of cybersecurity requirements from multiple existing frameworks including:

NIST    |    FAR    |    DFARS    |    COBIT    |   PCI DSS​

As part of the CMMC, contractors are required to take specific measures to protect certain information in a prescribed manner. These information are categorized as:

Federal Contract Information (FCI)

FCI is information provided by or generated for the Government under contract not intended for public release.

Controlled Unclassified Information (CUI)

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The CMMC framework

The framework is tier-based with five certification level to demonstrate contractor’s cybersecurity infrastructure and capability in safeguarding FCI and CUI. Each level is certified based on successful achievement and reflection of certain processes and practices.

Here is a highlight of the five levels of processes and practices:

The CMMC establishes five certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.

CMMC Framework

Below is an overview of the relevant processes and practices of each level:

Level 1 – Basic Cyber Hygiene

17 PRACTICES   |   ​FAR 48 CFR 52.204-21   |   FCI​

Organization must undertake standard cybersecurity practices to demonstrate “basic cyber hygiene”. This level is essentially an entry-point for any organizations to implement data security measures (regardless of CMMC requirement) in order to better prepare themselves for the inevitable security threat. Organizations must have measures in place to protect Federal Contract Information (FCI).

Level 2 – Intermediate Cyber Hygiene

72 PRACTICES   |   ​FAR 48 CFR 52.204-21   |  NIST SP 800- 171 R2  –  48 SUBSET   |  CYBER HYGIENE  –  7 PRACTICES

​Organization must implement documenting certain data security practices to protect CUI. NIST’s Special Publication 800-171 R2 is required to be followed in order to meet the certification requirements. This is a transition phase from Level 1 of “basic” to Level 3 of “good” cyber hygiene.

Level 3 – Good Cyber Hygiene

130  PRACTICES   |   ​FAR 48 CFR 52.204-21   |  NIST SP 800- 171 R2  –  110 SUBSET   |  CYBER HYGIENE  –  20  PRACTICES   |   CUI​

​Organization must develop and implement a comprehensive cybersecurity management plan to protect CUI. The security measures in this level is highly recommended to be followed as it requires organizations to create and follow System Security Plan (SSP) to defines system boundary, identify assets, and networks for CUI Data.

Level 4 – Proactive

152  PRACTICES   |   ​FAR 48 CFR 52.204-21   |  NIST SP 800- 171 R2  –  110 SUBSET   |   NIST SP 800- 171 B  –  13 SUBSET   |   CYBER HYGIENE  –  29  PRACTICES   |   CUI​

​Organization must document each practice and have processes to review and measure the effectiveness of those implemented practices. Additional practices are undertaken to safeguard data against Advanced Persistent Threats (APTs). In this level, adherence is verified through formal assessments.

Level 5 – Advanced 

171  PRACTICES   |   ​FAR 48 CFR 52.204-21   |  NIST SP 800- 171 R2  –  110 SUBSET   |   NIST SP 800- 171 B  –  17 SUBSET   |   CYBER HYGIENE  –  40  PRACTICES   |   CUI​

​Organization must optimize processes and standardize strict cybersecurity measures across the organization. Implement additional advanced security measures to detect and respond to APTs.

Key  Takeaways

  • Security compliance for protection of US Government digital assets is no longer a suggestion for the supply chain; it’s a mandate
  • CUI MUST be better protected
  • Self-assessments will no longer be acceptable; 3rd party compliance certification will be the new standard
  • Applies to some new contracts starting in 2020 and applies to all contracts beginning in 2026
  • Applies to DoD prime contractors and subcontractors
  • The progressive model covers advancing levels of cybersecurity processes and practices resulting in a certification level
  • Contractors must start at level 1 and certify at each level all the way to the top level 5
  • It is estimated that over 300,000 DIB contractors will be affected throughout the 3 to 5 year roll-out, with most requiring a Level 1 through Level 3 certification
  • CMMC certification costs have been deemed allowable, reimbursable costs under the FAR rules as reasonable and allocable to the requiring contract


How  CompCiti  Can  Help?

CompCiti has experience in helping organization with compliance  regulations with NIST Framework. We can help you with:


Help you prepare and get ready with assessment and remediation plan. We perform pre-certification audit to evaluate your existing security standing and what needs to be done to get ready for certification.


Help you perform review to get you certified. We work with you through-out the certification process.


Remember, you need to get reassessed every 3 years to get certified. We help perform certification review to help sustain your certification posture.


1. To Whom Does CMMC Apply?

CMMC applies to DoD Contractors and Sub-contractors

2. When Does It Take Effect? 

DoD begun issuing CMMC specific information requests in limited numbers beginning September 2020. All DoD contractors will be required to get CMMC for all requests for proposal considerations starting in 2026.

3. Can we self-certify CMMC?

No, your organization cannot get self-certified.

4. How long is the certificate valid for?

You will need to get reassessed every 3 years.

5. How will I know which level of certificate my organizations needs?

DoD will indicate the level of certificate required for any RFPs and RFIs they release. However, most organizations should strongly consider getting themselves at L2 or L3 at the least.