Cyber Maturity Model Certification

Are you (or are you looking to be) a Department of Defense (DoD) contractor or subcontractor?

If so, you need a Cyber Maturity Model Certification (CMMC).

What is the CMMC?

In the effort to ensure that contractors are protecting sensitive defense information, the DoD released the CMMC framework in January 2020. The CMMC is a unified standard for cybersecurity across the defense industrial base which includes over 300,000 companies in its supply chain.
This DoD developed framework includes a certification and compliance process, which is required to bid on new work. In the past, contractors were responsible for implementing, monitoring and certifying the security of the Information Systems. Now a third-party audit and assessment (performed by an accredited CMMC Third Party Assessment Organizations – C3PAOs) is required to certify that a company is following mandatory practices and procedures.

There are many components in the CMMC process to check compliance and certify the security of information systems in companies and contractors who store or transmit DoD data. The CMMC is comprised of standards from:

  • NIST SP 800-171
  • NIST SP 800-53
  • ISO 27001
  • ISO 27032
  • AIA NAS9933

5 Certification Levels

The CMMC encompasses 5 maturity levels that range from Basic Cybersecurity Hygiene to Advanced/Progressive, with each level building on the other’s requirements. The certification level required for a company will be based on the type of work and data they store for the DoD. Once certified the CMMC certificate should be valid for 3 years.

The 5 CMMC levels are:

Level 1 – Basic Cyber Hygiene – This includes 17 controls covering very basic security such as using antivirus software, regular employee password changes, and employee cyber security training. This level is intended to protect Federal Contract Information (FCI).

Level 2 – Intermediate Cyber Hygiene – Includes 72 controls covering basic and moderate security such as enabling audit trails, enforcing password complexity, routine maintenance for security patches and documentation of practices to start protecting Controlled Unclassified Information (CUI), meeting some NIST 800 171 r2 requirements.

Level 3 – Good Cyber Hygiene – Includes 130 controls covering basic through advanced security and proactive monitoring. A company must have an institutionalized management plan that includes all the security controls to protect CUIs and fully meet NIST 800 171 r2 requirements.

Level 4 – Proactive – Includes 156 controls covering basic through advanced security, proactive monitoring, and proactive security management. A company must be proactive in measuring, detecting and defeating threats. It requires that a company can respond to APTs (advanced persistent threats) including their changing tactics, processes and capabilities.

Level 5 – Advanced/Progressive – Includes 171 controls covering basic through advanced security, proactive monitoring, and advanced security management. A company must be advanced, progressive and state of the art in cybersecurity at this level. This includes additional security controls that allow a company to detect and respond to changing APTs.

How will you know which level of CMMC is required?  The DoD will specify the required CMMC level in each RFI and RFP.

Contact Us for More Information


In January 2020, the first full version of CMMC was released.  At this stage, much of the rest of the timeline is still developing.  But as of now, this is where the timeline stands:

  • June 2020 – the DoD will start posting CMMC requirements in RFIs
  • September 2020 – the DoD will start posting CMMC requirements in RFPs
  • 2021 – Contractors will need to get certified by a C3PAO in order to bid on work
Contact Us for More Information