Glossary

Cybersecurity Maturity Model Certification (CMMC)

The CMMC, or Cybersecurity Maturity Model, is a program established by the Department of Defense to be upheld by contractors working with the Defense Industrial Base (DIB). The goal of the certification is to create a standard of cybersecurity guidelines to keep sensitive information safe and protected. 

Cybersecurity Maturity Model Certification (CMMC)

A Quick History of CMMC

Since 2017, all contractors of the Department of Defense have been required to undertake self assessments against NIST 800-171 to show their Cybersecurity readiness in order to work with this section of government. Supply chain breaches began to become more prevalent. Despite global efforts, numbers of supply chain breaches are rising steadily each year and companies across industries began to take their 3rd party risk very seriously. Security staff understood that a more stringent vetting process was needed before taking on contractors who would have varying levels of access to sensitive information and touch government networks. 

The DoD worked together with Research Centers and University research teams to create the CMMC Maturity Model and released Version 1 in January 2020. 

What is the CMMC Maturity Model and Why is it Important?

CMMC is a standard of best cybersecurity practices that organizations can use to measure the degree of adherence they keep to the requirements of the DoD. It gives the DoD the visibility into an organization’s cybersecurity posture and also provides the ability for an organization to measure their progress and improvement as they advance up the levels of maturity.

For businesses who wish to do business with the US Department of Defense, CMMC is a new prerequisite. It requires verification of contractor security and demands that all companies in their supply chain handle their partners with the same diligence.

The CMMC serves as a verification to see whether DIB organizations are using acceptable cybersecurity policies and procedures to secure Federal Contract Information (FCI) and Regulated Unclassified Information (CUI) on their unclassified networks.

Non-compliance will hurt your company’s profit margins, as contractors who do not pass the certification will be unable to bid on DoD projects. Compliance will protect your organization, ensure best practices and win you government contracts.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

CMMC Version 2.0

The CMMC originally consisted of 5 maturity levels. In November 2021, Version 2.0 of the CMMC was released, compressing the 5 maturity levels into 3 increasingly advanced levels of cybersecurity requirements, with each level building upon the level before. The Department of Defense will go through a regulation process before implementing CMMC 2.0 in contracts. All DoD contractors must be CMMC certified in order to bid on new federal contracts.

Levels 2 and 4 of the 5 levels in Version 1 were eliminated. The remaining three levels are:

  • Level 1 – “Foundational” –The DoD contractor will need to implement 17 controls of NIST 800-171 and pass an annual self-assessment.
  • Level 2 – “Advanced”– To pass an audit for this level, the DoD contractor will need to implement the full NIST 800-171 (110 controls). 
  • Level 3 – “Expert” – To pass an audit for this level, the DoD contractor will need to implement 110 controls of NIST 800-171 plus other controls based on NIST 800-172 (still under DoD development).

How to achieve CMMC certification?

The Department of Defense will use accredited third-party assessor organizations (C3PAOs) to perform audits on DoD Contractor information systems to ensure that they have reached the required standard of cybersecurity controls. If a DoD contractor complies with the controls for a given Level, they will be assigned a certification Level of 2-3 based on this audit.

The requirement under DFARS 7021 to submit and maintain a NIST 800-171 self-assessment in the DoD’s Supplier Performance Risk System (SPRS) remains in effect.

Through the Centraleyes platform, organizations can gain full visibility to their cyber risk levels and compliance. In addition to using its integrated CMMC questionnaire with an easy follow-up system to help track and close vulnerable areas, it eases the process towards meeting compliance. The platform also allows you to start an assessment around the NIST 800-171 framework, while walking you through all the requirements that need to be met for this prerequisite. The final report that is needed for SPRS submission will be automatically created by the platform.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Related Content

Cyber Threat Modeling

Cyber Threat Modeling

What is Threat Modeling? Cyber threat modeling is a process whose goal is to identify the…
Information Security Management System (ISMS)

Information Security Management System (ISMS)

What is an ISMS? An information security management system (ISMS) involves putting policies, procedures, and controls…
GRC Tools

GRC Tools

An Introduction to GRC Tools GRC management has become a necessity. To integrate a GRC management…
Skip to content