What is CMMC?

CMMC is a unified cybersecurity standard and certification program for all U.S. Department of Defense (DoD) contractors. On January 31, 2020, DoD's Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) released CMMC v1.0. DoD intends to continuously update the model to adjust to evolving threats.

Who is subject to CMMC?

All U.S. DoD contractors and subcontractors, including commercial item contractors, are subject to CMMC. Currently the model is limited to DoD-only, but may be adopted by other U.S. civilian agencies in the future.

Is compliance with current DoD cybersecurity standards enough?

No, CMMC is a new standard that builds upon and goes beyond the current DoD requirements such as National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. CMMC combines various standards, including NIST SP 800-171, NIST SP 800-171B, NIST SP 800-53, and others.

What are the model's key features?

CMMC measures cybersecurity maturity with 5 levels that align a set of 5 maturity processes and 171 cybersecurity best practices with the type of information to be protected and the associated range of threats. These 5 processes and 171 practices are organized into a set of 17 domains. The 171 practices are also aligned to a set of 43 capabilities within each domain.

The CMMC levels and the associated sets of processes and practices across domains are cumulative. In order to achieve a specific level, a contractor must also demonstrate achievement of any preceding lower level(s).


The 5 levels measure cybersecurity maturity



The 17 domains are sets of capabilities that are based on cybersecurity best practices. Each domain is assessed for practice and process maturity across the 5 defined levels. In addition to the security families from NIST publications, CMMC includes its own unique domains, including Asset Management (AM), Recovery (RE), and Situational Awareness (SA).


The 43 capabilities are achievements to ensure cybersecurity objectives are met within each domain, e.g., each domain is comprised of a set of capabilities. Capabilities are met through the employment of practices and processes.


The 5 processes measure a contractor's process maturity (i.e., institutionalization) spanning Maturity Levels 2-4:


Process institutionalization provides additional assurances that the practices associated with each level are implemented effectively.


The 171 cybersecurity best practices measure a contractor's technical capabilities. They are derived from multiple cybersecurity standards, frameworks, and other references.


To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.