The CMMC is a capability-based maturity framework that is used to define a progression of cybersecurity maturity for an organization. This model leverages multiple sources of information, to include current laws, regulations, threat profiles, and best practices.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

CMMC Process

The CMMC space is still evolving. All definitive guidance is solely from Office of the Under Secretary of Defense for Acquisition and Sustainment. The CMMC Accreditation Body has not fully established the C3PAO or certification processes. Further, several CMMC controls (practices) are in draft format and have not been fully incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS).

Why the DoD Created CMMC

Department of Defense (DoD) contractors are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.

What Does Non-Compliance Mean to You?

  • Revenue Loss
  • Proposal Exclusion
  • Stop Work Order
  • Breach of Contract Lawsuits



  • Supply Chain Disruption
  • False Claims Act Actions
  • Reputational Damages
  • Adverse Performance Reviews

Explanation of CMMC Levels

Level 1

  • Basic cybersecurity
  • Subset of universally accepted common practices
  • Limited resistance against data exfiltration
  • Limited resilience against malicious actions

Level 2

  • Inclusive of universally accepted cybersecurity best practices
  • Resilient against unskilled threat actors
  • Minor resistance against data exfiltration
  • Minor resilience against malicious actions

Level 3

  • Coverage of all NIST SP 800-171 controls
  • Additional practices beyond the scope of CUI protection
  • Resilient against moderately skilled threat actors
  • Moderate resistance against data exfiltration
  • Moderate resilience against malicious actions
  • Comprehensive knowledge of cyber assets

Level 4

  • Advanced and sophisticated cybersecurity practices
  • Resilient against advanced threat actors
  • Defensive responses approach machine speed
  • Increased resistance against and detection of data exfiltration
  • Complete and continuous knowledge of cyber assets

Level 5

  • Highly advanced cybersecurity practices
  • Reserved for the most critical systems
  • Resilient against the most-advanced threat actors
  • Defensive responses performed at machine speed
  • Machine performed analytics and defensive actions
  • Resistant against, and detection of, data exfiltration
  • Autonomous knowledge of cyber assets