Cybersecurity Maturity Model Certification Version 1.0 (CMMC V1.0)
To print this article, all you need is to be registered or login on Mondaq.com.
What is CMMC?
CMMC is a unified cybersecurity standard and certification
program for all U.S. Department of Defense (DoD)
contractors. On January 31, 2020, DoD’s Office of the Under
Secretary of Defense for Acquisition & Sustainment
(OUSD(A&S)) released CMMC v1.0. DoD intends to continuously
update the model to adjust to evolving threats.
Who is subject to CMMC?
All U.S. DoD contractors and subcontractors, including
commercial item contractors, are subject to CMMC. Currently the
model is limited to DoD-only, but may be adopted by other U.S.
civilian agencies in the future.
Is compliance with current DoD cybersecurity standards
No, CMMC is a new standard that builds upon and goes beyond the
current DoD requirements such as National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and
Organizations, and DFARS 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting. CMMC combines various
standards, including NIST SP 800-171, NIST SP 800-171B, NIST SP
800-53, and others.
What are the model’s key features?
CMMC measures cybersecurity maturity with 5
levels that align a set of 5 maturity
processes and 171 cybersecurity best practices
with the type of information to be protected and the associated
range of threats. These 5 processes and 171 practices are organized
into a set of 17 domains. The 171 practices are
also aligned to a set of 43 capabilities within
The CMMC levels and the associated sets of processes and
practices across domains are cumulative. In order to achieve a
specific level, a contractor must also demonstrate achievement of
any preceding lower level(s).
The 5 levels measure cybersecurity maturity
The 17 domains are sets of capabilities that are based on
cybersecurity best practices. Each domain is assessed for practice
and process maturity across the 5 defined levels. In addition to
the security families from NIST publications, CMMC includes its own
unique domains, including Asset Management (AM), Recovery (RE), and
Situational Awareness (SA).
The 43 capabilities are achievements to ensure cybersecurity
objectives are met within each domain, e.g., each domain is
comprised of a set of capabilities. Capabilities are met through
the employment of practices and processes.
The 5 processes measure a contractor’s process maturity
(i.e., institutionalization) spanning Maturity Levels 2-4:
Process institutionalization provides additional assurances that
the practices associated with each level are implemented
The 171 cybersecurity best practices measure a contractor’s
technical capabilities. They are derived from multiple
cybersecurity standards, frameworks, and other references.
To view the full article click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States