The Cybersecurity Maturity Certification program was initiated by the United States Department of Defense (DoD). It aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST, FAR, and DFARS.
The certificate's primary purpose is to safeguard the Controlled Unclassified Information and Federal Contract Information (FCI) in federal contractors' possessions and use. Originally, DoD announced the CMMC program on January 31, 2020, and revised it on November 2021.
The latest version is CMMC 2.0
WHo is it for?
CMMC compliance is a mandatory requirement for any company that is a part of the Defense Industrial Base and related to the Defense Supply Chain. In simple terms, the two candidates for CMMC are:
Prime Contractors working with Government
Subcontractors working with Primes
CMMC 1.0
1
Basic Cyber Hygiene
The Dod contractor must comply with 17 practices in Federal Acquisition Regulation (DAR) 48 CFR 52.204-21
2
IntermediatE Cyber Hygiene
The DoD contractor must comply with 48 additional controls from NIST 800-171, as well as an additional 7 “Other” practices.
3
Good Cyber Hygiene
The DoD contactor must comply with all practices from NIST 800-171B as well as an additional 20 “Other” practices.
4
Proactive
The DoD contactor must comply with 11 controls from Draft NIST 800-171B as well as an additional 15 “Other” practices.
5
Advanced or Progressive
The DoD contractor must comply with the final 4 practices from Draft NIST 800-171B as well as an additional 11 “Other” practices.
CMMC 2.0
1
Basic Cyber Hygiene
The Dod contractor must comply with 17 practices in Federal Acquisition Regulation (DAR) 48 CFR 52.204-21
2
Good Cyber Hygiene
The DoD contactor must comply with all practices from NIST 800-171B as well as an additional 20 “Other” practices.
3
Advanced or Progressive
The DoD contractor must comply with the final 4 practices from Draft NIST 800-171B as well as an additional 11 “Other” practices.
CMMC Model 1.0
LEVEL 5
Advanced CUI,critical programs
LEVEL 4
Proactive Transition level
LEVEL 3
Good CUI
LEVEL 2
Intermediate Transition level
LEVEL 1
Basic FCI only
CMMC Model 2.0
Model
Assessment
LEVEL 3
Expert
110+
Practices based on NIST SP 800-172
110+
Triannual government- led assessments
LEVEL 2
Advanced
110
Practices aligned with NIST SP 800-171
Triannual third-party assessments for critical national security information; Annual self-assessment for select programs
LEVEL 1
Foundational
17
Practices
Annual self-assessment
frequently ASKED QUESTIONS ABOUT CMMC 2.0
Know every important detail about CMMC 2.0 . Our FAQ section contain most vital information that you need.
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
CMMC Glossary
Here is a list of commonly used glossaries related to CMMC.
TERM & DEFINITION
TERM
DEFINITION
Asset Owner
A person or group with primary responsibility for the viability, productivity, security, and resilience of an organizational asset.
Cybersecurity Maturity Model Certification (CMMC)
The set of requirements the Department of Defense has which an organization seeking certification (OSC) is assessed by. A certification process is now required for businesses seeking contracts with the DoD.
CMMC Assessment
The formal process of assessing the implementation and reliable use of controls through interviews, document reviews, and other observation measures. For CMMC specifically, an assessment is performed by an organization AND on an organization to see if they meet the requirements for the CMMC Level they are achieving certification for.
CMMC Audit
Performed by a C3PAO or CA and sanctioned by CMMC-AB, this is the process where an official professional or organization will check your organization against a given level of CMMC that you are achieving certification for to see if you successfully meet the requirements for that level. If you pass the audit, you’re issued the certification for that CMMC level.
CMMC Certified Assessor (CA)
A cybersecurity professional who has completed the background, training, and examination requirements to be certified at one of three levels by CMMC-AB. They are the ones who usually perform an audit on an organization.
CMMC Certified Professional (CP)
An individual authorized to participate as an assessment team member under the supervision of a Certified Assessor and authorized to have CMMC training.
CMMC Certified 3rd Party Assessment Organization (C3PAO)
An organization that has been certified by CMMC-AB to be contacted to provide consulting or certified assessments for an organization seeking certification for CMMC at any given level.
CMMC Certified Organization
An organization that has passed a CMMC Audit successfully and been issued a CMMC Certificate for a given level by the CMMC-AB.
CMMC Control
The policies and procedures to protect the organization's assets, maintain efficiency and stay within established standards. For CMMC, there are a total of 110+ controls that need to be met for full Level 3 certification, though Level 1 starts out with only 17.
CMMC Domain
Part of the CMMC model framework, domains are the categories of the framework, which are further broken down into a set of processes and practices with different topics related to the security of an organization. There are 17 domains within CMMC.
CMMC Maturity Level
This term is used to describe the security practices of a Defense Contractor found eligible for a CMMC-assessed seal after going through an audit sanctioned by the CMMC-AB. There are 3 maturity levels: Level 1: Foundational, Level 2: Advanced, and Level 3: Expert.
CMMC Registered Provider Organization (RPO)
A company authorized to represent itself as familiar with the CMMC Standard (given a CMMC-AB standardized logo) and is able to deliver CMMC consulting to organizations seeking certification (non-certified consulting). InterSec is a CMMC Registered Provider Organization.
CMMC Registered Practitioner (RP)
An individual who has gone through training to provide consulting services or advice related to CMMC to an OSC that is non-certified. They do not participate in official audits.
Controlled Unclassified Information (CUI)
Sensitive information that requires safeguarding and is protected with the aid of law, regulations, and government-wide policies.
Department of Defense (DoD)
Executive department of the United States federal government. It is responsible for the nation's military affairs, including research, development, and procurement. It also directs operations by the armed forces. The DoD is the agency responsible for creating the CMMC model.
Defense Contractor
Organizations (generally privately owned) that provide products and services to the Department of Defense. They must have at least one contract with the DoD to do so.
Defense Industrial Base (DIB)
The industrial complex is the worldwide network of companies, universities, and institutions that create, produce, or otherwise supply weapons, computers, and other products used by the US military. Most Defense Contractors are considered a part of the DIB.
Dispute Adjudicator
An employee from CMMC-AB who is responsible for handling disputes between an Assessor and OSC for an Assessment/Audit.
Federal Contract Information (FCI)
Proprietary information (not intended for public release) that is generated under contract to develop or deliver a product or service to the Government.
Gap Analysis
A gap analysis is a tool that companies can use to compare their current performance with how they strive to perform. For CMMC, it is usually a report that identifies where an organization lacks security regulations, implementations, and requirements (similar to a POA&M).
NIST SP 800-171
A standard published by the National Institute of Standards and Technology (NIST). The 113-page document outlines the security requirements organizations must satisfy to protect CUI data in non-federal systems. The document lists 110 requirements (or controls) that makeup CMMC levels 1-2.
Organization Seeking Certification (OSC)
An organization that intends to go through the CMMC assessment process and become certified under CMMC for a particular level.
Plan of Action and Milestones (POA&M)
A document that identifies missing security requirements and objectives and provides a timeline for their resolution. Cybersecurity professionals produce this document.
System Security Plan (SSP)
An SSP is a document describing an organization's information security policies, practices, and procedures. This is required at CMMC Level 2 and beyond and is an important document used in the audit process.
As one of the unique cybersecurity providers, InterSec employs continuous cyber innovation, sophisticated tradecraft, and top talent to deliver results. Our diverse clients span Commercial, State, and Federal agencies. Our deep cyber and industry expertise is earned through hands-on experience, from Cybersecurity Program setup to Operational Security. Our cyber security services meet mission critical objectives in a secure and compliant manner.
.png)
.svg)
.png)
