The government is once again stepping up its cybersecurity measures. However, this time, it’s not just the cybersecurity of its departments and offices, but also of those companies dealing with the government. Certification under Cybersecurity Maturity Model Certification (CMMC) is now a requirement to contractors (primes) and subcontractors (sub-primes) doing business with the Defense Industrial Base (DIB).
The certification was first announced on January 31, 2020. It is expected that on the beginning of 2026, CMMC will be a requirement on all proposals to DIB. As of this writing, however, the Department of Defense (DoD) has been issuing limited requests for information that contain CMMC specifications.
Rationale Behind CMMC
The DIB sector consists of more than 300,000 companies that support the warfighter, and play important roles in research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.
With the sophistication, complexity, and sensitivity of information used by DIB on its operations, CMMC aims to protect the DIB sector and the supply chain (primes and subprimes) of DoD from malicious cyber actors who have been persistently targeting said agencies to acquire intellectual properties and sensitive information. Because if these attackers succeed, they could undercut the U.S.’ technological advantages and would pose a great risk to national security.
Cybersecurity Maturity Model Certification – Simplified
CMMC aims to protect two types of unclassified information, namely, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Controlled Unclassified Information (CUI): information that is considered unclassified (under the Atomic Energy Act, as amended) but requires safeguarding or controls in dissemination.
- Federal Contract Information (FCI): information not intended for public release contained in a contract that is provided by or generated for the government to develop or deliver a product or service to the latter.
The new rules add certification as a requirement to companies to ensure that processes and practices are in accordance with the cybersecurity maturity model.
When a DIB contractor or a sub-contractor is certified in accordance with CMMC, it means that it meets the required capabilities, readiness, and sophistication in cybersecurity at a level commensurate with the risk. A DIB contractor may request to certify its entire enterprise, or just a particular segment thereof where information that needs protection is stored and handled.
- Maturity Model
- A cluster of characteristics, attributes, indications, or patterns that represent capability to adhere on a certain level of cybersecurity. It provides a benchmark that contactors and sub-contractors can follow if they want to achieve a higher level of certification. (see Figure 1)
- Domains are amongst the 5 components of the Cybersecurity Maturity Model Certification, namely, Domains, Processes, Capabilities, Practices, and Certification.
- There are 17 domains under CMMC. Each domain is a cluster of Processes and Practices (grouped into Capabilities). (see Figure 2)
- There are 43 capabilities under CMMC. Capabilities are groups of practices classified within a domain alongside the processes. (see Figure 2)
- Processes and Practices
- These are measures, activities, or parameters to be complied with to achieve a certain level of cybersecurity certification. Adherence to these processes and practices are the basis to which an organization is certified. (see Figures 3 to 7)
- Being granted a certification means that an organization is able to perform the practices and processes within a certain level of maturity. There are five (5) levels of certification under CMMC. (see Figures 3 to 7)
- CMMC Accreditation Body (AB)
- An independent, non-profit organization created by DoD to accredit Third Party Assessment Organization (3PAOs).
Displayed in the table below are the 5 levels of certification and their respective standards for processes and practices, as well as the focus of each level.
The table below shows the 17 domains included under CMMC, their abbreviations, and the capabilities clustered under each domain.
These are the important details you need to know about the Cybersecurity Maturity Model Certification. So far, we have discussed the terminologies, levels of certification, and the rationale behind the need for certification.
This is a two-part article. On the second part of this topic, we will discuss each CMMC level, and the respective domains and processes a company must comply with to achieve certification on each level.
Here’s the second part: CMMC Requirements Per Level – Complete Guide.
Concerned about the security systems and practices of your company? CyberLife can help. We can do a comprehensive Cyber Security Audit of your organization to jumpstart your compliance with the CMMC certification.
Email us at email@example.com or give us a call at 424.349.3848.