What to Know About the Cybersecurity Maturity Model Certification (CMMC)

August 06, 2021 | Posted in:


The increasing theft of intellectual property and sensitive information is at an all-time high and a growing threat to our national security. The recent ransomware attacks on the largest gasoline pipeline and meat producer in the US are clear evidence of this reality. Cyberattacks targeting the commodities industry, federal networks, and commercial software have sent a ripple effect throughout our nation’s supply chain. In response, the Department of Defense (DoD) is taking steps to strengthen the security within its Defense Industrial Base (DIB) by enhancing the protection of its sensitive information within each of its contractor's networks.

The new cybersecurity framework is known as the Cybersecurity Maturity Model Certification or CMMC. The DoD issued this new rule to assess and verify the ability of contractors in its Defense Industrial Base to implement security requirements specified in NIST SP 800-171, to "protect Controlled Unclassified Information in Nonfederal Systems and Organizations."

Both Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) include information created, collected, or received by or for the Government, that is not intended for public release. Specifically, CUI must also be safeguarded at every stage of existence (in use, storage, and transmission) until it is destroyed, disseminated, or decontrolled.


What is the Cybersecurity Maturity Model Certification?

In 2020, the DoD announced the new CMMC model derived from multiple cybersecurity standards, frameworks, and references. The model is organized into levels ranging from the basic level 1 to the highest level 5. Each level is cumulative and demonstrates a progression of cybersecurity maturity. To achieve a specific CMMC level, a DIB company must demonstrate that the required CMMC level practices have been implemented and processes have been institutionalized for an extended period. The specific CMMC level a DIB contractor can achieve will depend on where the CUI or FCI to be protected is processed, stored, or transmitted.

CMMC Levels Image

Prior to DoD contract award, an authorized and accredited CMMC 3rd Party Assessment Organization (C3PAOs) conducts a verification of the DIB company's cybersecurity posture and implementation of the required processes and practices. Upon completing the assessment, an independent CMMC Accreditation Body will award the DIB company the appropriate CMMC level certification. The contractor's CMMC certification level is then stored in the Supplier Performance Risk System (SPRS). The DoD will use the SPRS to verify a contractor's certification level before awarding a contract. The assessments are valid for three years and must be renewed every three years to remain current. The protection also applies to information shared and exchanged with subcontractors in a multi-tier supply chain. The flow down of CMMC requirements to subcontractors is necessary to respond to threats that reach even the lowest supply chain tiers.




Why did the DoD create CMMC?

To best understand the current CMMC Framework and Assessment methodology, it is helpful to know the origins of this rule. Protection of unclassified information through minimum cybersecurity standards within the DoD supply chain has been in effect on DoD contracts since 2013. The regulations relied on the DIB contractors to self-attest that they will or have implemented the security requirements of the FAR 52.204-21 and DFARS 252.204-7012 clauses upon submission of a contract offer. These regulations fell short in the DoD's ability to assess and verify a contractor's compliance with the protection of government information before the contract was awarded.

The FAR clause mandates protection of any Federal Contract Information not intended for public release, provided by or generated for the Government.

The DFARS clause requires a DIB contractor to protect Controlled Unclassified Information in Nonfederal Systems and Organizations by implementing the up to 110 security controls under NIST SP 800-171 DoD Assessment Methodology.


Why is the CMMC framework important?

Suspicion of non-compliance from the contractors to implement the basic safeguarding and security requirements was realized when DIB contractors reported 248 security incidents to the DoD Cyber Crime Center between 2015 – 2018. These numbers got the attention of the Secretary of Defense, who subsequently requested an audit by the DoD Inspector General (IG) to determine whether contractors were protecting CUI on their networks and systems. The 2019 IG report findings indicated that DoD contractors did NOT consistently implement the mandated requirements. The report emphasized that "malicious actors can exploit the vulnerabilities of contractors' networks and systems and exfiltrate information related to some of the Nation's most valuable advanced defense technologies." The IG report recommended that the DoD take steps to allow for verification of a contractor's ability to protect CUI, which resulted in the CMMC Framework and Assessment Methodology.


Who needs to comply with CMMC?

The CMMC requirement applies to any company or group within the DIB sector that receives, handles, or processes FCI or CUI from the DoD. A DIB company that processes, stores, or transmits CUI will be required to obtain level 3 CMMC at a minimum. CMMC does NOT apply to a company that competes exclusively on contracts or orders for commercial off-the-shelf items or orders valued at or below the micro-purchase threshold, currently at $10,000.

CMMC Sources Image

A contractor meeting the level 1 requirements will carry out "basic cyber hygiene" practices specified in the FAR clause, focusing on the protection of FCI. Level 2 serves as a transition step from safeguarding only FCI in level 1, to protecting CUI in level 3 and includes a much larger subset of NIST SP 800-171. The DoD does not anticipate the release of new contracts that require CMMC level 2 at this time. To achieve Level 3 and above, contractors must demonstrate implementation of the 110 NIST security requirements, along with additional processes and practices. Adherence to the 130(+) controls must be documented and shown to be part of the organization's daily practices.


When will CMMC changes be enforced?

The DoD developed a five-year phased rollout strategy of CMMC to minimize the financial impact and disruption to businesses within the DoD supply chain that specify a requirement for CMMC.

Through September 30, 2025, all required organizations will need to achieve the stated certification at the time of the contract award. Starting on or after October 1, 2025, all entities receiving DoD contracts and orders will be required to achieve the CMMC level identified at the time of solicitation.

Additionally, organizations will be required to show that the practices and policies have been in place and adhered to for an extended period before the C3PAO performs the assessment to achieve certification. The phased approach by the DoD will allow companies to implement these practices, policies, and procedures well in advance of requiring certification.


How to prepare for a CMMC assessment?

The CMMC Framework and Assessment is relatively new, and for many DoD contractors, it can feel like a daunting process. The good news is that Systems Engineering has been working within the NIST 800-171 framework and other compliance regimes for years. We fully understand the cybersecurity processes and practices necessary to become and remain CMMC compliant.

We're ready to help your organization prepare for this new assessment and certification. It all begins with a CMMC Gap Analysis to compare your organization's policies, procedures, and technologies to the controls required to achieve the appropriate CMMC Level. The analysis is performed using a combination of interviews with your staff, a review of any existing policies, and when appropriate, a review of the technical controls you have in place. This analysis will identify any gaps you may have, along with recommendations and solutions to close those gaps. The analysis output will also provide information on controls you are currently meeting for a complete picture of your current security posture.

Having confidence in your security controls will be essential as you move forward with your C3PAO CMMC assessment and subsequent CMMC AB certification. For more information on scheduling a gap analysis with Systems Engineering, please select the link below.


If you have any questions on the CMMC readiness process, customers please reach out to your account manager, call us at 888.624.6737, or email us at