Cybersecurity Maturity Model Certification (CMMC)
CMMC is a framework introduced by the United States Department of Defense (DoD). It is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which consists of over 300,000 companies in the supply chain for the DoD.
Definition and purpose
The purpose of CMMC is to enhance the protection of Controlled Unclassified Information (CUI) that exists within the supply chain of the defense industry. CMMC serves to assess and enhance the cybersecurity posture of defense contractors, specifically focusing on protecting sensitive defense information housed in contractors' information systems.
CMMC was developed by the US Department of Defense, in partnership with industry and academia.
CMMC 2.0 was announced in November 2021. A phased implementation of CMMC 2.0 began in 2023 with final completion planned for October 2025.
CMMC applies to all suppliers at all levels within the Defense Industrial Base, including small businesses, commercial item contractors, and foreign suppliers. Any company doing business with the DoD, either directly or as a subcontractor, is required to comply with the relevant level of CMMC certification.
Controls and requirements
CMMC 2.0 is streamlined compared to its predecessor and focuses on three levels of cybersecurity maturity:
- Level 1 (Foundational): Consists of basic cyber hygiene practices that correspond to basic safeguarding requirements for Federal Contract Information (FCI).
- Level 2 (Advanced): Encompasses a set of practices that align with the NIST SP 800-171 standard, safeguarding CUI.
- Level 3 (Expert): Includes advanced/progressive practices to protect CUI and reduce the risk of Advanced Persistent Threats (APTs).
Each level has a set of practices and processes, with higher levels encompassing all the requirements of the lower ones.
Please refer to the official CMMC 2.0 website for details on controls and requirements.
Audit type, frequency, and duration
CMMC assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) and individual assessors accredited by the CMMC Accreditation Body (CMMC-AB). The certification is valid for three years, after which a re-assessment is required.
The duration of the assessment will depend on the size and complexity of the organization's network and information systems, as well as the CMMC level for which they are being assessed.