What is Cybersecurity Maturity Model Certification (CMMC)?
Cybersecurity Maturity Model Certification (CMMC) is an evaluation designed for Defense Industrial Base (DIB) contractors.
Wiz Experts Team
6 minutes read
Cybersecurity Maturity Model Certification (CMMC) is an evaluation designed for Defense Industrial Base (DIB) contractors. CMMC ensures DIB contractors meet basic cybersecurity requirements when handling controlled unclassified information (CUI).
Although the U.S. Department of Defense has provided cybersecurity guidelines to contractors for a long time, it established the CMMC in 2020. Every contractor must earn this certification to be eligible to develop and supply products and services to the DoD.
CMMC requires all DoD contractors to undergo a third-party cybersecurity assessment. This evaluation is done by the CMMC Assessors and Instructors Certification Organization (CAICO) and Certified Third-Party Assessor Organizations (C3PAOs)—firms trained and certified by the CMMC Accreditation Body to assess every contractor.
The need for CMMC in the defense supply chain
Traditionally, defense contractors were required to meet cybersecurity standards established by the NIST SP 800-171 framework through self-attestation. However, this led to a weak security stance and several breaches, including the infamous SolarWinds attack.
CMMC, aimed at better assessing, monitoring, and securing the defense supply chain, covers roughly 350,000 firms in the DIB. Initially, the CMMC program offered five certification levels, which have been condensed into three levels under CMMC 2.0. (When the CMMC program was renewed, the DoD decided to eliminate Levels 2 and 4 for a more compact assessment.) Similar to the old version, the maturity level in CMMC 2.0 is determined by the sensitivity of the data handled during the contract period. Let’s take a more in-depth look.
The different maturity levels of CMMC
Level 1: Foundational
The most basic maturity level requires you to practice minimum cybersecurity measures like patch updates and password management. It covers 17 controls described in 48 CFR 52.204-21 standards.
Level 1 certification aims to reduce risk for companies that manage data. Organizations don’t need documentation to implement these foundational security requirements. Instead, they can self-assess their readiness for Level 1 compliance. DIB contractors who handle federal contract information (FCI), which isn’t critical, must attain Level 1 certification.
Level 2: Advanced
CMMC 2.0 Level 2 certification is a must for companies that deal with controlled unclassified information (CUI). Level 2 mandates intermediate cyber hygiene by implementing 14 domains and 110 security controls from NIST 800-171. In addition to the practices outlined in Level 1, Level 2 stipulates that organizations must document their security processes and guidelines.
At Level 2, contractors must undergo an assessment process by C3PAOs every three years. Since they manage information critical for national security, these organizations must also conduct annual self-assessments.
Level 3: Expert
As the highest level of CMMC certification, Level 3 involves stringent security policies based on NIST SP 800-171 & 172 standards. Level 3 covers threat detection and remediation strategies, data protection, and system hardening exercises. Organizations are prepared to tackle advanced persistent threats (APTs) at this maturity level.
CMMC was introduced to cover three key objectives:
Safeguarding sensitive information that could challenge national security
Setting a cybersecurity standard for companies securing defense contracts
Making defense contractors accountable for securing government data
The CMMC framework comprises three key aspects to achieve these objectives: Domains, Practices, and Capabilities. Let’s go over them briefly.
Domains
CMMC 2.0 is organized into 14 cyber domains, or sets of security practices grouped by their attributes. The domains defined under the new version of CMMC are:
Number
Cyber Domain
1
Access Control (AC)
2
Awareness and Training (AT)
3
Audit and Accountability (AU)
4
Configuration Management (CM)
5
Identification and Authentication (IA)
6
Incident Response (IR)
7
Maintenance (MA)
8
Media Protection (MP)
9
Personnel Security (PS)
10
Physical Protection (PE)
11
Risk Assessment (RA)
12
Security Assessment (CA)
13
System and Communications Protection (SC)
14
System and Information Integrity (SI)
Practices
These describe the specific security practices you must implement to safeguard information. Spread across 14 security domains, there are 110 practices.
Capabilities
Capabilities are best practices, processes, and tactics that organizations must employ for robust security. The DoD removed some capabilities from CMMC 2.0 that were explicitly mentioned in CMMC 1.0.
Who needs to comply with CMMC?
The DoD has mandated that every defense contractor should achieve CMMC certification by 2026. While commercial-off-the-shelf (COTS) vendors are exempted from certification requirements, other organizations must secure the maturity level listed in their contract. The three different types of contractors who need to comply with CMMC are as follows:
Organizations that work only with FCI and have a FAR 52.204-21 clause in their contract will need CMMC Level 1. They do not require third-party assessment. Instead, they must self-certify their security practices. Contractors are instructed to share the details of their FCI management plan, including information about people, processes, technologies, facilities, and other external providers involved.
Defense contractors that will need Level 2 certification are those who have a DFARS 7021 clause marked in their contract. Per the mandate, they must undergo third-party assessment through an accredited C3PAO every three years and complete a self-assessment annually.
Organizations with DFARS 7021 clauses in their contract that handle highly sensitive data will need the highest level of maturity. To achieve Level 3 certification, they must comply with essential security practices listed in NIST SP 800-171 and some of 800-172. Full details of Level 3 certification have yet to be formalized. Regardless, organizations must undergo an audit by a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Penalties for non-compliance
Any organization that wants to secure a defense contract must comply with CMMC. It’s essential to safeguard confidential data by ensuring the defense supply chain, making CMMC certification non-negotiable. Moreover, non-compliance with the program could result in serious issues for contractors working with the DoD.
Failing to secure certification could leave organizations liable to face charges under the False Claims Act (FCA). The FCA, introduced under the Civil Cyber-Fraud Initiative, can penalize companies as much as $10,000 per control. Considering there are 110 controls in Level 2, the total penalty might reach $1 million or more.
We’ve seen why complying with CMMC is critically important for defense contractors. However, the road to achieving CMMC compliance is paved with challenges. To mitigate those challenges, follow this seven-step checklist of best practices to earn maturity certification:
1. Understand what level of CMMC certification you need
Level 1 certification is a minimum requirement for securing a defense contract from the DoD. You must earn Level 2 compliance if your organization deals with CUI, and Level 3 certification is the highest level of attainment. Review your defense contract carefully to learn which maturity level you need.
2. Establish a core team to take care of CMMC compliance
Delegating the responsibility of compliance requirements to a core team will streamline your security practices. IT teams usually take up this role; regardless of who is in charge, CMMC compliance must be managed by someone who can involve all the organization's stakeholders and keep the project on track at every step.
3. Determine your CMMC compliance readiness
Implement a self-assessment procedure to determine the state of your cybersecurity and readiness for CMMC compliance. This typically involves evaluating your policies, procedures, and access controls.
4. Limit access to CUI for easy security management
Giving access to CUI to a large group will make it hard to keep tabs on who is accessing the information. Restrict its access to select personnel and ensure they are trained on CUI management practices.
5. Learn your compliance score through an RPO
Before you undergo the CMMC compliance process, you must understand your security posture. Collaborate with a CMMC Registered Provider Organization (RPO) to evaluate the compliance gaps within your organization. A third-party assessment will highlight any aspects you may have missed during the self-assessment.
6. Build a system security plan (SSP) for CMMC compliance
Creating an SSP will make it easy for you to achieve certification. The SSP document should include all the aspects of your IT ecosystem that host CUI. It should also mention how that information flows through your organization through authorization and authentication steps. In essence, an SSP gives you a security profile.
7. Create a plan of action and milestones (POA&M) for compliance
Achieving CMMC compliance is a journey that necessitates securing your system end to end. To do so, you need a clear strategy detailed in a POA&M that outlines steps to strengthen your cybersecurity by eliminating vulnerabilities.
Achieving cloud compliance with Wiz
As we’ve seen, CMMC mandates ways of safeguarding the defense supply chain to protect sensitive government data. The Federal Information Security Management Act (FISMA), which is aimed at government agencies and private corporations managing public data, is another important regulation organizations must comply with.
It doesn’t have to be difficult to meet compliance directives—you just need the right tools. Wiz is a leading solution that helps to ensure your cloud environment is compliant against multiple industry regulations, including NIST 800-171, NIST SP 800-53, and FedRAMP. Wiz continuously monitors your systems and generates interactive heatmaps to deliver comprehensive visibility of your security and compliance posture.
Schedule a demo today to learn how Wiz can simplify all your compliance management needs.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.