Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a consolidated standard for Department of Defense (DoD) contractors that collect, process, or store controlled unclassified information (CUI). The compliance standard is an evolution of the DFARS 252.204.7012 &
NIST 800-171 standards and is meant to protect the nation’s most sensitive data.
Designed to enhance the cybersecurity posture of the Defense Industrial Base (DIB), the framework combines several cybersecurity standards and best practices with controls mapped across several maturity levels. All government contractors will have to become CMMC Compliant by 2026 in order to continue doing business with the U.S. Government.
Our CMMC Services
As an independent audit firm, 360 Advanced can conduct a third-party assessment of your controls, helping you obtain your DoD cybersecurity certification. We offer:
CMMC Readiness Assessments
If you are new to federal cybersecurity and compliance requirements, we can help you determine which practices are in scope for your desired level of certification. The lower levels address practices from FAR clause 52.204-21; the higher levels address practices from NIST Special Publication 800-53, Special Publication 800-171B, and other relevant sources.
From there, we can conduct a gap analysis that evaluates your controls through the lens of the CMMC framework. Our auditors can help you identify areas of non-compliance, then create a prioritized action plan for remediation.
CMMC certificates are valid for 3 years. However, more frequent re-certification may be required for Level 4 and 5.
Who is Required to Have a CMMC?
Who is Required to Have a CMMC?
CMMC is mandatory for all organizations that do business with the United States Department of Defense, including non-federal contractors and sub-contractors.
Certification is required to be awarded a new – or maintain an existing – federal contract, although it will not be retroactively required for existing contracts or their option years.
Can I Self-Certify?
Certifications must be provided by an independent CMMC auditor, also known as a C3PAO. The CMMC Accreditation Board will not accept self-certification.
What are the Levels of the CMMC?
The CMMC covers five levels – each one covering a progressively higher number of practices and processes.
Organizations are encouraged to choose the maturity level that best supports their business goals, as well as their data processing activities. (For instance, organizations that do not store CUI on their networks may only need to comply with Level 1 or Level 2 requirements; organizations that store critical data related to infrastructure protection may need to comply with Level 4 or Level 5.) The lowest levels of certification are specifically designed to be cost-effective for smaller businesses, while the highest levels are designed to provide the highest level of assurance for larger enterprises.
The five levels are:
- Level 1 (Performed) – The organization performs 17 cybersecurity practices.
- Level 2 (Documented) – The organization performs 72 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy.
- Level 3 (Managed) – The organization performs 130 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities.
- Level 4 (Reviewed) – The organization performs 156 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities; activities are reviewed and measured for effectiveness. Results are shared with management.
- Level 5 (Optimized) – The organization performs 171 cybersecurity practices, and each of their cybersecurity practices are documented as a formal policy. They maintain and resource a plan to cover all relevant activities; activities are reviewed and measured for effectiveness. The organization maintains a standardized, documented approach across all applicable business units.
The higher an organization’s maturity level, the more deeply engrained cybersecurity processes they have in place. The more deeply engrained their cybersecurity measures, the more likely they can produce consistent, repeatable, and high-quality responses to various threats – and the more likely that the DoD can entrust them with confidential information.
If a federal contract requires a specific level of certification, it will be specified in the corresponding Requests for Information (RFIs) and Requests for Proposals (RFPs). The DoD will have access to each organization’s certification level, but this information will not be made public.
CMMC Capability Domains
What Are the CMMC Capability Domains?
The CMMC organizes processes and best practices into 17 domains:
- Access Control (AC)
- Asset Management (AM)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
CMMC vs NIST
The Difference Between CMMC & NIST 800-171
Under NIST 800-171, contractors are responsible for self attesting their compliance. Now, contractors must be assessed and certified by CMMC assessors. Under CMMS, DoD contractors will be audited every 1-3 years depending on the level of compliance achieved. This ensures contractors are taking cybersecurity seriously and lowers the risk of data loss.
When Will DoD Contractors Have to be Certified?
CMMC rollout is a phased approach over a 5 year period that started with the release of 10 RFIs and RFPs in 2020. The number of new contracts requiring CMMC certification will grow until all contracts require CMMC compliance in 2026. Contractors will have to meet CMMC compliance in order to to be awarded these contracts. Contractors will be able to bid on opportunities prior to becoming CMMC compliant, however, they will not be awarded the contract unless they meet the compliance requirement.
New to the Cybersecurity Maturity Model?
Learn more about the CMMC framework, requirements, and the certification process:
Learn More About CMMC Certification
Whether you’re a current federal contractor or looking to bid on your first DoD contract, 360 Advanced can help you navigate the world of cybersecurity and compliance. Our team has experience with a variety of federal frameworks – from NIST and DFARS to FISMA and FedRAMP – and can help you meet your organization’s unique requirements. For more information about CMMC certification, contact us today.