What is CMMC? Cybersecurity Maturity Model Certification Overview

If you’ve heard the term CMMC being used more frequently, you’re not alone. This upcoming change in certification requirements for Department of Defense contractors and subcontractors will have major implications and require significant changes for organizations in order to continue landing government contracts

Here are all the basics of CMMC, how it will work, when it goes into effect, who will have to comply, and how to get started.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is being implemented by the United States Department of Defense (DoD) as a means of standardizing cybersecurity preparedness across the government’s defense industrial base (DIB). The certification requirement applies to organizations that contract or do business with the DoD, and is designed to verify the cybersecurity capabilities of its contractors across measures of readiness, sophistication, and defense.

While the CMMC is relatively new, it incorporates frameworks and input from existing government standards, such as the Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS), and National Institute of Standards and Technology (NIST).

The DoD has already begun issuing a small number of requests for information relating to the newly standardized CMMC specifications. However, all new requests for proposals will be required to adhere to CMMC beginning in 2026. While that may seem like a long way off, it’s important that organizations start preparing now for when the CMMC will officially take effect to avoid any missteps.

Who Must Comply with the CMMC?

There are two primary types of contractors who work with the Department of Defense — ‘prime’ contractors and subcontractors who work with those prime subcontractors. 

That means that the CMMC doesn’t just apply to organizations with direct DoD contracts – it also means that any organization that subcontracts for an organization that has a direct relationship with the DoD will also be required to comply.

However, the CMMC certification level required for each contract and contractor depends on the contract itself. Some requests will only require low-level certification, while others will require a higher level of certification. We’ll talk more about those levels later.

The CMMC Framework

The CMMC framework is built around five levels of cybersecurity preparedness, with level 1 being the most basic, and level 5 being the most advanced.

The expressed goal of the CMMC is to ensure that two distinct types of information are protected from being disclosed or used for unauthorized purposes — controlled unclassified information (CUI) and federal contract information (FCI).

Controlled Unclassified Information

Controlled classified information is any information that requires security protocols and restrictions on how and where that information is shared. There are other specific qualifiers as well.

Federal Contract Information

Federal contract information is any information that is not intended for public release and is provided by the government to one of its contractors in order to help them complete their contract work.

At each CMMC certification level, there is a set of unique Processes and Practices and a qualifier, also known as a ‘goal,’ that contract requests at that level must meet.

The CMMC framework requires prime contractors and subcontractors to be assessed in each of the following four components: Domains, Capabilities, Processes, and Practices. Contractors are assigned a certification level between 1 and 5 depending on their score for each component. If they fail to meet any requirements, they do not receive a score.

Level 1

In order to reach Level 1 status, contractors must cover practices relating to:

  • Access Control
  • Identification and Authentication
  • Media Protection
  • Physical Protection
  • System and Communications Protection
  • System and Information Integrity

Level 2

In order to reach Level 2 status, contractors must cover practices relating to:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Management
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Level 3

In order to reach Level 3 status, contractors must cover practices relating to:

  • Access Control
  • Asset Management
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Recovery
  • Risk Management
  • Security Assessment
  • Situational Awareness
  • System and Communications Protection
  • System and Information Integrity

Level 4

In order to reach Level 4 status, contractors must cover practices relating to:

  • Access Control
  • Asset Management
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Incident Response
  • Risk Management
  • Security Assessment
  • Situational Awareness
  • System and Communications Protection
  • System and Information Integrity

Level 5

In order to reach Level 5 status, contractors must cover practices relating to:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Incident Response
  • Risk Management
  • System and Communications Protection
  • System and Information Integrity

In total, there are 17 total domains, with 43 unique capabilities that contribute to a total of 171 practices. Processes are assessed for maturity levels based on the corresponding certification levels.

When is CMMC Compliance Required?

With the implementation of new CMMC regulations, the Department of Defense also announced the creation of the CMMC Accreditation Body. This non-profit organization is independent of the DoD and will accredit both individual assessors and Third Party Assessment Organizations. Details about how exactly organizations will achieve certification have not yet been released, but contractors will soon be able to hire Third Party Assessment Organizations from an approved DoD-sanctioned marketplace.

How to Prepare for the CMMC Rollout

With 17 domains, 43 capabilities, and 171 unique practices to account for, getting started with CMMC certification may seem overwhelming. The good news is that there is time before the projected 2026 rollout; however, you should start today — and don’t rely on just one or a few individuals at your organization for the task. Preparing for CMMC implementation must be a coordinated effort that brings to bear all of your organization’s cybersecurity tools.

One essential factor that will determine whether your organization is able to achieve any level of CMMC certification will be data access control. Not only is access control explicitly mentioned as one of the 17 domains on the DoD’s list for every certification level, but effective data access control is also an essential element of many of the other included domains.

Data access control also offers a huge range of other ancillary benefits, from scalability and speed in data communication to improved connectivity and remote access.

Don’t risk losing government contracts due to a failure to prepare for the CMMC rollout. Find out how Immuta can give you a head start on getting CMMC certified for your contracts and future plans.

Ready to get started? Request a demo of Immuta.

Blog

Related stories