Skip to main content
background

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework developed by the U.S. Department of Defense to verify that defense contractors and subcontractors meet required security standards for protecting sensitive government information. CMMC replaces self-attestation with verified assessments, requiring contractors to achieve certification at the appropriate level before being awarded DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that aligns cybersecurity requirements with the sensitivity of the information that defense contractors handle. Developed in response to persistent cyberattacks targeting the Defense Industrial Base (DIB), CMMC adds a verification layer to the existing DFARS cybersecurity requirements by requiring independent assessments rather than relying solely on contractor self-attestation.

CMMC 2.0 Certification Levels

CMMC 2.0 streamlined the original five-level model into three levels:

  • Level 1 (Foundational): 15 security practices derived from FAR 52.204-21. Required for contractors handling Federal Contract Information (FCI). Allows annual self-assessment.
  • Level 2 (Advanced): 110 security practices aligned to NIST SP 800-171. Required for contractors handling Controlled Unclassified Information (CUI). Most contractors require third-party assessment by a C3PAO; some may qualify for self-assessment.
  • Level 3 (Expert): 110+ security practices based on a subset of NIST SP 800-172 controls. Required for contractors handling the most sensitive CUI. Assessed by DIBCAC.

CMMC Compliance Requirements

Achieving CMMC compliance involves several key steps: determining which CMMC level applies to your contracts based on the type of information handled, conducting a gap assessment against the applicable security requirements, developing and implementing a System Security Plan (SSP) documenting your security controls, creating a Plan of Action and Milestones (POA&M) for any controls not yet fully implemented, and undergoing the required assessment (self-assessment for Level 1, C3PAO assessment for most Level 2).

CMMC Assessment Process

The CMMC Assessment Process (CAP) governs how C3PAOs conduct Level 2 assessments. The process includes a pre-assessment phase where scope and logistics are established, the assessment itself where assessors review documentation, test controls, and interview personnel, and a post-assessment phase where results are compiled and submitted to the Cyber AB for quality review. Organizations that meet all requirements receive a three-year CMMC certification.

CMMC Certification Cost and Timeline

CMMC certification costs vary based on organization size, complexity, and current security posture. Costs typically include gap assessment and remediation (implementing missing controls), security tools and infrastructure (GCC High licensing, SIEM, EDR), consulting and managed security services, and the C3PAO assessment fee itself. Organizations should plan for 6-18 months of preparation time before the assessment, depending on their starting point. Starting with a readiness assessment helps identify the scope of work and associated costs.

CMMC and DFARS: The Regulatory Connection

CMMC is implemented through DFARS clause 252.204-7021, which requires contractors to achieve the specified CMMC level as a condition of contract award. CMMC builds on the existing cybersecurity requirements in DFARS 252.204-7012 (which mandated NIST 800-171 compliance since 2017) by adding the third-party verification component. The phased rollout of CMMC means the clause will appear in increasing numbers of DoD solicitations over time.