The Cybersecurity Maturity Model Certification (CMMC) Program began with the November 2010 Executive Order (E.O.) 13556, Controlled Unclassified Information. This Order intended to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls.” In 2016, the DFARS 252.204-7012 clause went into effect, requiring all DOD contract holders to self-assess that they meet the security requirements of NIST SP 800-171. In 2019, DoD announced the development of CMMC to move away from a “self-attestation” model of security after years of security and audit failures.
The purpose of the CMMC is to verify that the information systems used by the contractors of the United States Department of Defense to process, transmit or store sensitive data are compliant with the mandatory information security requirements. The goal is to protect controlled unclassified information (CUI) and federal contract information (FCI) stored and processed by a partner or vendor.
Three levels are associated with CMMC based on the sensitivity of the related contract data.
| Level | Description | Practices | Objectives | Assessment | |
|---|---|---|---|---|---|
| 1 | Foundational | 14 based on FAR 52.204-21 cross referenced to 17 practices on NIST SP 800-171 rev 2 | 59 | Annual Self-assessment | Safeguard Federal Contract Information (FCI) |
| 2 | Advanced | 110 practices aligned with NIST SP 800-171 | 320 | Triennial third-party assessments for critical national security information. Annual self-assessment for select programs | Safeguard Federal Contract Information (FCI) and/or Protection of Controlled Unclassified Information (CUI) |
| 3 | Expert | 134 practices based on NIST SP 800-171 plus a subset of the security requirements in NIST SP 800-172 | 409 | Triennial government-led assessments by DCMA DIBCAC | Enhanced Protection of CUI. |
Level 1 covers FCI only and requires self-assessment by an Affirming Official (AO).
Level 2 covers FCI and/or CUI and can allow either self-assessment (FCI only) by an Affirming Official (AO) or third-party assessment (FCI and CUI) by a CMMC Third-Party Assessor Organization (C3PAO).
Level 3 covers FCI and CUI and requires a successful Level 2 third-party assessment before the DCMA DIBCAC validates the additional practices.
Note: A government contract may override these guidelines at the contracting officer's discretion. Regardless of these guidelines, subcontractors must meet the standard a prime contractor requires.