Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a verification framework mandated by the U.S. Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain.
Compliance is a required condition for DoD contract awards.
The CMMC framework comprises three tiers with increasing security requirements, ranging from foundational (Level 1) to expert (Level 3).
- Level 1 (Foundational): Requires annual self-assessments based on 15 basic cyber hygiene practices.Level
- 2 (Advanced): Protects CUI by aligning with 110 requirements from NIST SP 800-171, requiring assessments by C3PAOs or self-assessment depending on the contract.Level
- 3 (Expert): Incorporates advanced NIST SP 800-172 requirements for critical programs, with assessments performed by the DoD's DIBCAC.Timeline and ComplianceCMMC requirements are being phased into DoD contracts over four stages, starting with Level 1/2 self-assessments and building toward mandatory third-party certifications for all applicable contracts. To prepare, contractors should determine their required level, assess current security, register results in the Supplier Performance Risk System (SPRS), and ensure flowdown to subcontractors.