CMMC - a US Federal Maturity Model

A maturity model is defined as a set of best practices that an organization will follow to ensure a certain level of security. This model system has been introduced as a solution to limit the damage related to cybercrimes, which are increasing exponentially around the world and becoming ever more sophisticated.

The DoD entrusts contractors and sub-contractors with sensitive information and needs to ensure appropriate security measures are in place. To bid on federal contracts, organizations must be prepared to meet these cybersecurity measures.

Though CMMC certification may be difficult for small contractors or companies to achieve, it serves important national interests and represents an investment in security hardening throughout the DoD supply chain.

How Many Maturity Levels Are There?

The DoD will label contracts with the required level of CMMC certification. No CMMC certification is required if your firm deals only with public information. There are 3 levels:

• Level 1– Foundational: involves FCI not for public release. Matches 15 controls from FAR 52.204-21 “basic” controls. Annual certifications and self-assessments are completed by company leadership.
• Level 2– Advanced: involves dealing with CUI. Aligns with 110 NIST 800-171 controls. Annual self-assessments and triennial reviews by a Certified Third-Party Assessor Organization (C3PAO).
• Level 3– Expert: involves dealing with CUI. Aligns with 110 NIST 800-171 controls and 24 NIST 800-172 controls. Requires triennial, government-led assessments.

If contractors are not certified with the appropriate CMMC level, they will not be able to bid on DoD projects. The main question becomes, which level of certification is needed? It largely depends on the information the organization will handle – public, FCI, or CUI.

How to Achieve Level 2 CMMC Certification

The DoD is conducting a slow rollout for CMMC. New contracts will be issued with CMMC requirements. The DoD expects all contractors and sub-contractors to be at least Level 1 compliant by January 2026.

There are over 350,000 Defense Industrial Base firms that will be subject to CMMC certification at some level. The DoD estimates that most contractors will need Level 2 CMMC certification, with a minority needing Level 3 (which must be certified directly by government assessors).

There is a 7-step process commonly used to achieve Level 2 CMMC certification:

1. Assess and Implement Information Security Workflows: the first step is to self-assess and then develop a security plan that complies with NIST 800-171 standards.
2. Improve Workflows and Submit Scores: develop a scoring system with a maximum score of 110, to ensure target compliance. Once this is done, submit those scores to the Supplier Performance Risk System (SPRS)
3. Check for Scope: it could be for a program enclave, enterprise or organization unit. The CMMC has released compliance assessment guides.
4. Preliminary Gap Assesssment (Optional): An external party can help with security assessments, identify any issues, and develop solutions to address them promptly.
5. Choose a C3PAO: Utilize the CMMC-AB Marketplace to identify a C3PAO to schedule your CMMC assessment.
6. CMMC Assessment: Certification assessment is done in 4 phases; if your request is approved, a 90-day time period is allotted to address any and all shortfalls identified.
7. Certification: the CMMC-AB reviews assessments made by the C3PAO and comes to a decision. If you pass, your organization is awarded a 3-year CMMC certification.