Cybersecurity Maturity Model Certification Compliance

The primary goal of the Cybersecurity Maturity Model Certification Compliance is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD (Department of Defense) supply chain. The DoD’s definition of CUI refers to any information or data created or possessed by the government or another entity on the government’s behalf. The interpretation of data is broad here — and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data.

The CMMC framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor’s capabilities. 

The requirements for CMMC compliance, broken into practices and processes, are dependent on the level of certification. Each certification level builds upon the requirements from levels beneath it; for example, a level 3 certification would include requirements for levels 1 and 2. 

Here is a brief description of each certification level:

Level 1 demonstrates “Basic Cyber Hygiene” – DoD contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 rev1.

Level 2 demonstrates “Intermediate Cyber Hygiene” – Here, DoD contractors must implement another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls.

Level 3 demonstrates “Good Cyber Hygiene” – To achieve level 3 certification, the final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be implemented

Level 4 demonstrates “Proactive” cybersecurity – In addition to the controls in levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented

Level 5 demonstrates “Advanced / Progressive” cybersecurity – To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new  “Other” controls

To achieve each certification level, contractors and vendors must meet the requirements for practices and processes associated with that level across 43 different capabilities spanning 17 capability domains.

The capability domains are as follows:

  • Access Control (AC)
  • Incident Response (IR)
  • Risk Management (RM)
  • Asset Management (AM)
  • Maintenance (MA)
  • Security Assessment (CA)
  • Awareness and Training (AT)
  • Media Protection (MP)
  • Situational Awareness (SA)
  • Audit and Accountability (AU)
  • Personnel Security (PS)
  • System and Communications Protection (SC)
  • Configuration Management (CM)
  • Physical Protection (PE)
  • System and Information Integrity (SI)
  • Identification and Authentication (IA)
  • Recovery (RE)