Cybersecurity Maturity Model Certification Explained

The US Department of Defense has created a tiered cybersecurity readiness model to ensure that contractors and subcontractors meet designated security standards and can protect sensitive or nonpublic information with which they come into contact through their work with the agency. This framework replaces a previous set of practices that were poorly defined and often not enforced.

What Is Cybersecurity Maturity Model Certification (CMMC)?

Cybersecurity Maturity Model Certification is a program designed by the US Department of Defense (DoD) to help assess the cybersecurity readiness of contractors and subcontractors it does business with. The program is intended to ensure that controlled unclassified information the DoD shares with those companies (sometimes referred to as the defense industrial base, or DIB) remains secure. While cloud service providers are certainly part of this security assessment, it’s the contractors themselves, and not the CSPs, that need to apply for this certification.

Key Takeaways:

• Contractors and subcontractors seeking to do business with the DoD need to certify that they meet cybersecurity criteria defined by the US National Institute of Standards and Technology (NIST).
• The DoD will direct businesses to one of three levels of cybersecurity certification, depending on the sensitivity of the data to which they would have access when carrying out the contracts for which they’re bidding.
• Cloud service providers can help their customers attain these cybersecurity levels, but the certifications are required for the contractors themselves, not for their cloud service providers.

Cybersecurity Maturity Model Certification Explained

CMMC allows companies doing business with the DoD to demonstrate that their online security practices meet the standards published by the National Institute of Standards and Technology (NIST). The standards, published as NIST Special Publication 800-171 and NIST Special Publication 800-172, relate to the protection of controlled unclassified information, which can include the names of DoD personnel and the types of materials used in the manufacture of certain arms or explosives. While not classified, this type of information is nevertheless sensitive in nature, and efforts should be made to keep it confidential. This is the purpose of the CMMA framework.

Enforcement of these standards has been phased in gradually thus far. However, companies should expect new DoD contracts to stipulate adherence to these standards going forward.

CMMC distinguishes three distinct levels of preparedness for which companies can apply:

• Level 1 - Companies can self-certify for this classification.
• Level 2 - Companies can achieve this by passing an audit conducted by a certified third-party organization (C3PAO).
• Level 3 - Companies can attain this by passing a C3PAO audit followed by a government audit conducted by a designated defense industrial base cybersecurity assessment center (DIBCAC).

Companies achieving CMMC accreditation are monitored continuously (or, in the case of Level 1, must continually monitor themselves) to ensure that they maintain appropriate security practices.

Contractors and subcontractors should apply for the highest level of certification they think they will need going forward—not just for a particular contract—with the understanding that achieving certain levels will entail ongoing auditing costs.

What Is the Cybersecurity Maturity Model Certification Framework?

While CMMC is the actual certification meant to ensure that contractors maintain appropriate cybersecurity practices, the CMMC framework is the construct of the NIST model’s required controls, levels, and standards. NIST Special Publication 800-171 is the framework for companies seeking Level 2 accreditation and NIST Special Publication 800-172 includes additional controls required for Level 3 accreditation. Level 1 accreditation, achieved through self-reporting, includes 15 CMMC security requirements, which map to 17 NIST controls, while Level 2 requires 110 requirements and Level 3 requires 134.

Features of CMMC

The CMMC framework, explained in this blog post, was developed by the DoD to help ensure that the contractors and subcontractors it works with comply with designated cybersecurity best practices. The framework’s security controls focus on computer code, people, and organizational processes. They also share the following characteristics:

• The controls fall under a tiered model. DoD contractors and subcontractors will be directed to attain a particular certification level based on the type of work they wish to bid on. For Level 1 certification, companies can self-certify. For Level 2, they must use an accredited auditor for certification. For Level 3, companies must get certified by both a C3PAO and a designated assessment center managed by the US federal government.
• They’re based on NIST standards. Specifically, the framework’s controls are based on standards set forth in NIST Special Publication 800-171 and NIST Special Publication 800-172, which build upon and replace an earlier, less prescriptive protocol.
• They require ongoing compliance. CMMC isn’t a one-and-done qualification. It requires ongoing certification (either through self-certification or through a C3PAO) to ensure compliance with framework security controls.

Levels of CMMC

The first version of CMMC included five tiers, while the current CMMC framework provides a more simplified cybersecurity assessment model of three tiers, described below.

• Level 1: This level includes 15 security requirements (which map to 17 NIST controls) for self-assessment. It’s intended to protect information contained in federal contracts that “is not intended for public release” but “that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” (This is also known as federal contract information.) As an example of the type of control required for Level 1, businesses need to self-certify that they use basic controls to limit access to internal and external computer systems. Companies that achieve Level 1 certification are required to annually self-assess and recertify their adherence to the standard.
• Level 2: This level specifies 110 security controls with which DoD contractors and subcontractors must comply, as certified by a C3PAO. This level is intended to safeguard information generated either by the government or the contractor or subcontractor while performing the contracted work. It’s also referred to as “Controlled Unclassified Information.” For this level of certification, contractors or subcontractors have to prove that they employ a higher level of access control than they would for Level 1—for instance, by using dual authorizations for certain sensitive operations. In other words, access would have to be authorized by two separate individuals in order for a particular operation to be performed. To maintain Level 2 certification, contractors must submit to assessments every three years.
• Level 3: This level includes 134 security controls (the same 110 controls required for Level 2, plus an additional 24 compliance steps), adherence to which must be certified by a designated DIBCAC every three years. This security level is intended to safeguard the same types of information as Level 2, but with a higher level of protection against advanced persistent threats. For example, compliance with Level 3 certification would entail a higher degree of monitoring for specific cybersecurity threats and threat events.

How to Implement CMCC in 10 Steps

Contractors and subcontractors doing business with the DoD need to obtain one of three certifications in order to bid on new contracts. If you’re about to embark upon this process, the following steps can help you get there:

1. Decide which level of certification you’ll need. Base your decision on how frequently and to what degree of sensitivity you expect to keep doing business with the DoD, not just on a given contract. For example, if you’re bidding on a contract with low levels of sensitive information, Level 1 may be enough, but you might want to aim higher in case you ever want to bid on contracts that require access to more sensitive information.
2. Once you’ve chosen the appropriate certification level, familiarize yourself with all of the required controls and processes for that level (see above).
3. Assess your current level of cybersecurity preparedness, identifying what additional processes and controls you’ll need to attain certification.
4. Develop and implement the additional processes and controls required for the certification level you want to achieve.
5. Evaluate your new processes and controls against certification standards and requirements.
6. Evaluate the controls and processes of contractors and technology vendors with which you do business, including cloud service providers. Determine whether these partners have achieved certain certifications such as FedRAMP, which can go a long way toward helping you achieve your desired certification level.
7. If you think that your processes and controls are at the required level, either self-certify for Level 1 certification or start vetting accredited C3PAOs if you plan to apply for Level 2 certification.
8. To achieve Level 2 certification, engage a qualified C3PAO to conduct an assessment of your organization. If you plan to apply for Level 3 certification, you must first pass this assessment, then apply to the appropriate DIBCAC for the DoD department you’re working with.
9. Stay up to date with changing requirements as they occur.
10. Reaffirm your organization’s compliance with these standards annually. For Level 2 and Level 3, be prepared to undergo evaluations for recertification every three years.

History of CMMC

Before the establishment of the CMMC, DoD contractors and subcontractors had to abide by the Defense Federal Acquisition Regulation Supplement (DFARS), which wasn’t well understood by stakeholders or strictly enforced. Contractors found it difficult to meet DoD requirements because there wasn’t a unified DoD policy, different agencies had different standards, and the applicability of various requirements could be unclear.

First announced in 2019, CMMC was established to make it easier to conduct business with the DoD. Originally including five certification tiers, it has been simplified even further to the current three tiers. CMMC 2.0 was released in November 2021, the final CMMC 2.0 rulemaking process began in 2023, and the most recent requirements were published on October 15, 2024.

How to Stay Compliant

No matter which CMMC level you apply for, you’ll have to recertify on a regular basis. For Level 1 certification, you’ll need to affirm that your business remains compliant with the appropriate controls and procedures set forth by the NIST standard. If your business has been certified with Level 2 accreditation, you’ll need to recertify with your C3PAO every three years. For Level 3 recertification, you’ll need both the C3PAO and the appropriate agency DIBCAC to conduct a new assessment every three years.

Take a Faster Path to CMMC with OCI Government Cloud

Oracle Cloud for Government is an Oracle Cloud Infrastructure (OCI) offering that helps businesses within the defense industrial base comply with CMMC. Oracle’s government cloud offering includes tools to help defense contractors and their partners manage the CMMC controls they own or share with OCI. This includes a Core Landing Zone that allows contractors to deploy preconfigured cloud native services that help meet many CMMC requirements in a matter of hours. This offering also includes informational guides for CMMC Level 1 and Level 2 compliance.

Cybersecurity Maturity Model Certification FAQs

How do I get a CMMC certificate?
You can self-assess and self-certify if all you need is Level 1 certification. If you need Level 2 certification, you must submit to a cybersecurity evaluation by an independent organization, known as a C3PAO. If you require Level 3 certification, you must first get certified by a C3PAO and then undergo further review by a DIBCAC.

What is Level 3 certified cybersecurity maturity model?
Level 3 is the highest level of cybersecurity readiness for which contractors and subcontractors must be certified to do business with the DoD.

How are CMMC requirements determined?
The CMMC framework is based on standards defined by the National Institute of Standards and Technology (NIST).