The Cybersecurity Maturity Model Certification (CMMC) Framework is a unifying standard that supports the common implementation of cybersecurity across the entire DoD supply chain. The DoD’s goal is to define its cybersecurity expectations in order to gain assurance that its contractors and subcontractors can adequately protect the DoD’s CUI within their unclassified networks.
CMMC focuses on protecting — and better defining — the unclassified information categorized as federal contract information (FCI) and controlled unclassified information (CUI). The framework aligns with NIST 800-171 and NIST 800-172, which organizes 145 controls across three maturity levels and 17 domains.
The shift to CMMC marks a clear evolution toward a “trust, but verify” model for cybersecurity compliance within the DoD supply chain. Whereas the prior DOD model allowed organizations to self-assess cybersecurity maturity, CMMC relies heavily on independent assessments from Certified Third-Party Assessment Organizations (C3PAOs).
While the latest release of CMMC 2.0 does allow for all Level 1 and some Level 2 contractors to self-assess, Level 2 contractors should assume an independent assessment will be required until the DOD criteria for self-assessment is published. These certification assessments periodically verify implementation of adequate cybersecurity practices and processes to protect CUI and FCI. Those organizations that process, store, or transmit CUI will typically require certification valid for three years in most instances. Certification levels must be at or above the required level at contract award.
If you are a prime contractor or subcontractor that plans to do business with the DoD in the future, CMMC applies to you. Even if your organization does not handle CUI, the DoD will expect a minimum certification at CMMC Level 1.
The DoD initially estimated that CMMC will impact 350,000+ defense contractors. Given the volume of subcontractors in the DoD’s multilayered supply chain, we expect that number to grow.
CMMC’s three maturity levels are cumulative. Each level contains the practices and processes included in any prior levels.
Your organization’s target maturity level should be based on the level of risk to controlled unclassified information (CUI) and federal contract information (FCI) as defined by the awarding agency or prime contractor. Organizations handling CUI are already subject to DFARS 252.204.7012 as defined within NIST 800-171, and will be expected to certify at Level 2 or above.
To determine which CMMC maturity level to aim for as a baseline, it’s also helpful to consider.
Finally, be aware that CMMC assessments are true “pass” or “fail.” Under CMMC, your organization must have successfully designed and implemented 100% of each level’s defined cybersecurity requirements to achieve certification at a given level.
For a deeper dive into starting or accelerating your CMMC journey, download AuditBoard and RSM’s full guide, Are You Ready for CMMC? Getting on the Right Track with the New DOD Cybersecurity Framework, for answers to the most common questions organizations have about CMMC.