Skip to content

Guide to Cybersecurity Maturity Model Certification (CMMC)

What Is It?

What is CMMC?

The Cybersecurity Maturity Model Certification is a cybersecurity compliance certification intended to protect the supply chain of the Department of Defense and it’s vendors.

The CMMC was created by the DoD in response to rising malicious cyber activity that cost the U.S. economy between $57 billion and $109 billion in 2016. The DoD has issued the CMMC to protect Federal Contract Information or FCI and Controlled Unclassified Information or CUI.

In the DoD’s guide, these are defined as:

Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release.

Controlled Unclassified Information (CUI): is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The CMMC model uses the basic safeguarding requirements for FCI as the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI as specified in NIST 800-171 / DFARS.

The Five Levels of CMMC

CMMC Levels Explained

The CMMC measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats.

These levels of certification are achieved by Processes and Practices as defined in the CMMC.

 

Level 1: Safeguard Federal Contract Information (FCI)

  • Processes: Performed
    Level 1 of CMMC requires an organization to perform specified practices. The organization may perform them as necessary without formal documentation.
  • Practices: Basic Cyber Hygiene
    Level 1 is primarily concerned with the protection of FCI and corresponds to the basic safeguarding requirements found in FAR 52.204-21, referenced above.

Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI.

  • Processes: Documented
    Process documentation ensures that necessary security and hygiene practices are performed in a “repeatable manner”.
  • Practices: Intermediate Cyber Hygiene
    Level 2 serves as a transition stage between 1-3 of CMMC. The practices necessary are a subset of NIST 800-171 as well as other standards. This stage includes the hygiene and security of CUI.

Level 3: Protect Controlled Unclassified Information

  • Processes: Managed
    Level 3 requires organizations to have resources devoted to the management of practice implementation.
  • Practices: Good Cyber Hygiene
    Level 3 of CMMC focuses on the protection of CUI. It encompasses NIST-800 as well as other standards for threat mitigation. DFARS contains additional requirements beyond NIST, like incident reporting.

Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats

  • Processes: Reviewed
    Level 4 includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
  • Practices: Proactive
    Level 4 practices protection of CUI from Advanced Persistent Threats or APTs. It includes NIST SP 800-171B and includes enhanced detection and response capabilities.

Level 4-5: Protect CUI and reduce risk of Advanced Persistent Threats

  • Processes: Optimizing
    Level 5 requires an organization to take corrective action towards improving process implementation across the organization.
  • Practices: Advanced/Proactive
    Level 5 increases the depth and sophistication of cybersecurity capabilities.

CMMC Domains

CMMC consists of 17 domains with the majority originating from the Federal Information Processing Standards (FIPS) and NIST 800-171. CMMC includes three additional domains not included in those standards.

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

CMMC ascribes 173 points across these 17 families and assigns them to the 5 levels accordingly.

Our Approach

Our 4-Step Approach to IT Compliance

1. Compliance Audit

Our team conducts a series of interviews and a network audit to determine data access and usage.

2. Gap Analysis

A gap analysis identifies the missing pieces necessary to achieve compliance.

3. Remediation Plan

A remediation plan is put forth and executed with action steps towards compliance based on priority level.

4. Management

ITonDemand then monitors system usage and provides the service and support to maintain compliance.

Compliance In Action

Florida Manufacturing Firm

A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.

Contact Us For Support

Name(Required)
This field is for validation purposes and should be left unchanged.

Trusted By Organizations Across The Country

Logo for Allstate. Logo for Altrua Global Solutions. Logo for Church of the Redeemer. Logo for Coastal Resources. Logo for DDA Ann Arbor. Logo for Del Zotto Products. Logo for Deleon Appraisals. Logo for Fogelman. Logo for Indratech. Logo for Lynden School District. Logo for N Street Village. Logo for Ocala Metro CEP. Logo for SecurTrust. Logo for Society of American Military Engineers. Logo for Sunshine Air Conditioning. Logo for The Federalist Society. Logo for United Way of Marion County. Logo for Westfields Golf Club. Logo for Andgar Corporation.

Need More From Your IT Services Provider?

ITonDemand is a division of eResources: your expert partner in digital transformation and growth, providing IT services, software development, marketing and branding.  Learn more about the benefits of a vertically-integrated IT services partner.