Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a consolidated standard for Department of Defense (DOD) contractors that collect, process, or store controlled unclassified information (CUI). Designed to enhance the cybersecurity posture of the Defense Industrial Base (DIB), the framework combines several cybersecurity standards and best practices, with controls mapped across several maturity levels.

Our CMMC Services

As an independent audit firm, 360 Advanced can conduct a third-party assessment of your controls, helping you obtain your DoD cybersecurity certification. We offer:

CMMC Readiness Assessments

If you are new to federal cybersecurity and compliance requirements, we can help you determine which practices are in scope for your desired level of certification. The lower levels address practices from FAR clause 52.204-21; the higher levels address practices from NIST Special Publication 800-53, Special Publication 800-171B, and other relevant sources.

From there, we can conduct a gap analysis that evaluates your controls through the lens of the CMMC framework. Our auditors can help you identify areas of non-compliance, then create a prioritized action plan for remediation.

CMMC certificates are valid for 3 years. However, more frequent re-certification may be required for Level 4 and 5.

Who is Required to Have a CMMC?

CMMC is mandatory for all organizations that do business with the United States Department of Defense, including non-federal contractors and sub-contractors.

Certification is required to be awarded a new – or maintain an existing – federal contract, although it will not be retroactively required for existing contracts or their option years.

Can I Self-Certify?

Certifications must be provided by an independent CMMC auditor, also known as a C3PAO. The CMMC Accreditation Board will not accept self-certification.

What are the Levels of the CMMC?

The CMMC covers five levels – each one covering a progressively higher number of practices and processes.

Organizations are encouraged to choose the maturity level that best supports their business goals, as well as their data processing activities. (For instance, organizations that do not store CUI on their networks may only need to comply with Level 1 or Level 2 requirements; organizations that store critical data related to infrastructure protection may need to comply with Level 4 or Level 5.) The lowest levels of certification are specifically designed to be cost-effective for smaller businesses, while the highest levels are designed to provide the highest level of assurance for larger enterprises.

The five levels are:

  • Level 1 (Performed) – The organization performs 17 cybersecurity practices.
  • Level 2 (Documented) – The organization performs 72 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy.
  • Level 3 (Managed) – The organization performs 130 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities.
  • Level 4 (Reviewed) – The organization performs 156 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities; activities are reviewed and measured for effectiveness. Results are shared with management.
  • Level 5 (Optimized) – The organization performs 171 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities; activities are reviewed and measured for effectiveness. The organization maintains a standardized, documented approach across all applicable business units.

The higher an organization’s maturity level, the more deeply engrained cybersecurity processes they have in place. The more deeply engrained their cybersecurity measures, the more likely they can produce consistent, repeatable, and high-quality responses to various threats – and the more likely that the DoD can entrust them with confidential information.

If a federal contract requires a specific level of certification, it will be specified in the corresponding Requests for Information (RFIs) and Requests for Proposals (RFPs). The DoD will have access to each organization’s certification level, but this information will not be made public.

What Are the CMMC Capability Domains?

The CMMC organizes processes and best practices into 17 domains:

  • Access Control (AC)
  • Asset Management (AM)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

New to the Cybersecurity Maturity Model?

Learn more about the CMMC framework, requirements, and the certification process:

Learn More About CMMC Certification

Whether you’re a current federal contractor or looking to bid on your first DoD contract, 360 Advanced can help you navigate the world of cybersecurity and compliance. Our team has experience with a variety of federal frameworks – from NIST and DFARS to FISMA and FedRAMP – and can help you meet your organization’s unique requirements. For more information about CMMC certification, contact us today.