What is Cybersecurity Maturity Model Certification?

RESOURCES > GLOSSARY

Cybersecurity Maturity Model Certification (CMMC) Definition

Cybersecurity Maturity Model Certification (CMMC) is a unified standard and model designed to ensure that U.S. Department of Defense (DoD) contractors and subcontractors safeguard sensitive data, including federal contract information (FCI) and controlled unclassified information (CUI).

The objective of the CMMC is to improve the security of sensitive data within the Defense Industrial Base (DIB) and its supply chain. As the complexity and frequency of cyber threats continue to increase, this strategy is crucial for national security.

In November 2021, the DoD released CMMC 2.0. It encompasses the DIB security responsibilities for safeguarding CUI per Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

CMMC 2.0 is comprised of three levels:

1. Level 1 (Basic): Applies to companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic cybersecurity practices
2. Level 2 (Advanced): Applies to companies with CUI, controlled technical information (CTI), or export-controlled data (i.e., ITAR, EAR); requires the 110 security controls from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information
3. Level 3 (Expert): Applies to the highest priority programs with CUI; uses a subset of NIST SP 800-172; requires assessment by government officials

Organizations seeking CMMC 2.0 certification must implement the necessary security controls and obtain a third-party assessment (if applicable). The level of certification is dependent on the sensitivity of the information handled by the contractor. Overall, CMMC represents a significant advance in the defense industry’s efforts to strengthen its cybersecurity practices.