What is the Cybersecurity Maturity Model Certification 1.0 (CMMC 1.0)?

CMMC stands for “Cybersecurity Maturity Model Certification”.  The CMMC is a formal certification intended to ensure that appropriate levels of cybersecurity controls and processes are in place to protect controlled unclassified information (CUI) residing on DoD contractor networks.  If your business offers products and/or services to the DoD or a DoD contractor, the CMMC will apply to you.

The goal of the Cybersecurity Maturity Model Certification is to protect national security and to protect American businesses.  The CMMC combines various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.  The CMMC will also measure the maturity of a company’s cybersecurity practices and processes.

Unlike the NIST 800-171 framework, there is no self-certification for the Cybersecurity Maturity Model Certification 1.0.  Instead, a third-party CMMC auditor (Certified Third-Party Assessor Organization - C3PAO) will be required.  Registered Provider Organizations (RPOs), such as Appalachia, have been accredited by CMMC to help prepare organizations for C3PAO auditing.

The CMMC 1.0 encompasses 5 security levels, with level 5 being the most secure.  The majority of contractors and especially manufacturers will be level 3.  Levels 4 and 5 are reserved for contractors who require very high levels of cybersecurity – think munitions and weapons manufacturers.  Levels 1 and 2 will apply to merchants and services.

Figure 1 CMMC Maturity Process Progression - https://www.acq.osd.mil/cmmc/