What are the different CMMC levels?

CMMC has a tiered structure of maturity levels, ranging from Level 1 (Foundational) to Level 3 (Expert). Each level requires implementing a set of cybersecurity practices and processes, with increasing complexity and rigor as the level increases.

How do I get CMMC certified?

To achieve CMMC certification, contractors must undergo an assessment by a certified CMMC Third-Party Assessment Organization (C3PAO). These organizations are accredited to verify that contractors meet the requirements of the specific CMMC level they are pursuing.

CMMC (Cybersecurity Maturity Model Certification) | GovCon Glossary

CMMC (Cybersecurity Maturity Model Certification)

What is CMMC (Cybersecurity Maturity Model Certification)?

Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard designed to protect sensitive unclassified information within the Defense Industrial Base (DIB). It's a critical compliance requirement for contractors seeking to do business with the Department of Defense (DoD). Achieving and maintaining CMMC certification demonstrates a contractor's commitment to safeguarding government data from cyber threats.

Definition

CMMC was developed by the DoD to streamline and standardize cybersecurity requirements for its contractors. It replaces the self-assessment approach of NIST SP 800-171 with a third-party assessment model. This means that instead of simply attesting to compliance, contractors must now be certified by an accredited CMMC Third-Party Assessment Organization (C3PAO). The CMMC framework includes various maturity levels, each representing a different degree of cybersecurity preparedness. The required level is determined by the type and sensitivity of the information a contractor handles under a DoD contract. Failing to meet the required CMMC level can disqualify a contractor from bidding on or performing DoD contracts.

Key Points

Unified Standard: CMMC consolidates various cybersecurity standards into a single, comprehensive framework.
Third-Party Assessment: CMMC requires independent verification of cybersecurity maturity through accredited C3PAOs.
Tiered Maturity Levels: CMMC has defined levels of cybersecurity maturity, providing a scalable approach to compliance.
Contract Requirement: CMMC is increasingly becoming a mandatory requirement for DoD contracts, impacting eligibility and award decisions.

Practical Examples

Responding to an RFP: When responding to a DoD Request for Proposal (RFP) that includes a CMMC requirement, contractors must demonstrate they hold the necessary certification level or have a plan to achieve it within a specified timeframe.
Flow-Down Requirements: As a prime contractor, you must ensure that your subcontractors who handle CUI also meet the appropriate CMMC level, creating a "flow-down" of cybersecurity requirements throughout the supply chain.
Choosing a C3PAO: When selecting a C3PAO for assessment, contractors must verify the organization's accreditation and ensure they have the necessary expertise to evaluate their cybersecurity posture accurately.

Frequently Asked Questions

Any DoD contractor that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will require CMMC certification at some level. The specific level required will depend on the sensitivity of the information involved in the contract.