Cybersecurity Maturity Model Certification Compliance

The primary goal of the Cybersecurity Maturity Model Certification Compliance is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD (Department of Defense) supply chain. The DoD鈥檚 definition of CUI refers to any information or data created or possessed by the government or another entity on the government鈥檚 behalf. The interpretation of data is broad here 鈥 and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data.

The CMMC framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor鈥檚 capabilities. 

The requirements for CMMC compliance, broken into practices and processes, are dependent on the level of certification. Each certification level builds upon the requirements from levels beneath it; for example, a level 3 certification would include requirements for levels 1 and 2. 

Here is a brief description of each certification level:

Level 1 demonstrates 鈥淏asic Cyber Hygiene鈥 鈥 DoD contractors who wish to pass an audit at this level must implement 17 controls of .

Level 2 demonstrates 鈥淚ntermediate Cyber Hygiene鈥 鈥 Here, DoD contractors must implement another 48 controls of NIST 800-171 rev1 plus seven new 鈥淥ther鈥 controls.

Level 3 demonstrates 鈥淕ood Cyber Hygiene鈥 鈥 To achieve level 3 certification, the final 45 controls of NIST 800-171 Rev1 plus 13 new 鈥淥ther鈥 controls must be implemented

Level 4 demonstrates 鈥淧roactive鈥 cybersecurity 鈥 In addition to the controls in levels 1 through 3, 11 more controls of  plus 15 new 鈥淥ther鈥 controls must be implemented

Level 5 demonstrates 鈥淎dvanced / Progressive鈥 cybersecurity 鈥 To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new  鈥淥ther鈥 controls

To achieve each certification level, contractors and vendors must meet the requirements for practices and processes associated with that level across 43 different capabilities spanning 17 capability domains.

The capability domains are as follows:

  • Access Control (AC)
  • Incident Response (IR)
  • Risk Management (RM)
  • Asset Management (AM)
  • Maintenance (MA)
  • Security Assessment (CA)
  • Awareness and Training (AT)
  • Media Protection (MP)
  • Situational Awareness (SA)
  • Audit and Accountability (AU)
  • Personnel Security (PS)
  • System and Communications Protection (SC)
  • Configuration Management (CM)
  • Physical Protection (PE)
  • System and Information Integrity (SI)
  • Identification and Authentication (IA)
  • Recovery (RE)