Everything about the Cybersecurity Maturity Model Certification (CMMC)

Table of Contents

  1. Introduction
  2. What is the CMMC?
  3. When am I required to comply?
  4. What’s the difference between NIST 800-171 and the CMMC?
  5. Who needs to comply?
  6. What happens if I don’t comply?
  7. What’s involved in compliance?
  8. What steps can I take to prepare for compliance?
  9. What does a CMMC audit involve?


Over the past few years, the Defense Industrial Base (DIB) and the Department of Defense (DoD) supply chain has been the target of cyberattacks from nation-states and other malicious actors. In response to this growing threat and a need to better assess and enhance the DIB cybersecurity maturity, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC). Specifically, its purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC is not straightforward, requiring a lot of time and preparation. However, with some basic understanding of the requirements, you can effectively prepare your organization for certification. In this guide, we cover everything you need to know about the CMMC.

What is the CMMC?

The CMMC stands for “Cybersecurity Maturity Model Certification.” It is a relatively new cybersecurity compliance standard that the Department of Defense (DoD) requires for contract awards. It provides the DoD a verification mechanism to ensure that its contractors and subcontractors implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

The CMMC covers five maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” and includes a third-party certification requirement for levels 1, 3, 4, and 5. There is no certification for CMMC Level 2.

When am I required to comply?

When the CMMC is fully rolled out, your organization will need to be certified before it receives its contract award. If during the bid submission process your organization isn’t certified, it’ll need to indicate it’ll be certified by the contract award date. If you can’t prove your certification, the DoD will not award you the contract.

However, as of publishing the blog post, the DoD has not fully implemented the CMMC. Instead, on September 29, 2020, it published the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule and later went into effect on November 30, 2020. The Interim Rule kickstarted the five-year, phased rollout (November 30, 2020–September 30, 2025) of the CMMC. Among the text, the Interim Rule requires contractors to self-assess against National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, use the DoD Assessment Methodology to create a score, and submit that score in the Supplier Performance Risk System (SPRS).

What’s the difference between NIST 800-171 and the CMMC?

In terms of compliance, the CMMC requires specific documentation to be certified at level 3 and above. Previously, contractors had to certify themselves, stating they had either implemented or were in the process of implementing all 110 NIST 800-171 controls. As one would imagine, this process introduced too many errors and discrepancies, making it an unreliable process for the DoD. Through the new requirements, some of which the DFARS Interim Rule introduced recently, the DoD now requires all contractors to self-assess against NIST 800-171 using the DoD Assessment Methodology and eventually be certified at CMMC Level 1, at a minimum, through a Third-Party Assessor Organization (C3PAO).

In terms of cybersecurity frameworks, NIST 800-171 and CMMC are not starkly different. CMMC Levels 1–3 primarily mirror the entirety of NIST 800-171. In addition to the 14 other domains covered in NIST 800-171, CMMC adds three additional domains which include, ” Asset Management,” “Recovery,” and “Situational Awareness,” bringing the total number of domains to 17. Additionally, CMMC Levels 4 & 5 introduce 30 new practices from FAR clause 52.204-21, NIST 800-171B (soon to be named NIST 800-172), as well as other practices from the Center for Internet Security (CIS), CERT Resilience Management Model (CERT-RMM), and NIST Cybersecurity Framework (CSF).

CMMC Level Practices Introduced Source
48 CFR 52.204-41 NIST SP 800-171 NIST SP 800-172 Other
1 17 15 17
2 55 48 7
3 58 45 13
4 26 11 15
5 15 4 11

Who needs to comply?

Eventually, any contractor that works for the United States Federal Government will be required to get certified. In the short-term, the CMMC will only apply to DoD contracts, appearing as a requirement only in select contracts, then, over the FY2021–FY2025 phased rollout introduced with the DFARS Interim Rule, to 100% of contracts. The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and the DoD will work together to identify those initial contracts. The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

What happens if I don’t comply?

Non-compliance means you could either lose your current DoD contract or lose the ability to win contract awards altogether. Additionally, if your organization falsified information, it could lead to serious legal repercussions under the “False Claims Act.”

What’s involved in compliance?

It depends on what CMMC level your organization is targeting. Each level consists of a series of practices or security controls that add up cumulatively with each higher level.

Level 1

  • Safeguard FCI
    • CMMC Level 1 requires that an organization align with 17 specified practices. Documentation at this stage may be helpful but not required.
    • Organizations should demonstrate that they practice Basic Cyber Hygiene like antivirus, FAR requirements, and ad-hoc incident response.

Level 2

  • Transition step towards protecting CUI
    • CMMC Level 2 requires that an organization align with 72 practices and establish policies and procedures. Documentation is required to demonstrate how the organization implements the policies and procedures. There is no certification for this level.
    • Organizations should demonstrate that they practice Intermediate Cyber Hygiene, like awareness & training, risk management, security continuity, and back-ups.

Level 3

  • Protect CUI
    • CMMC Level 3 requires an organization to align with 130 practices and establish, maintain, and resource a plan demonstrating the management of practice implementation activities. This level encompasses all of the practices specified in NIST 800-171 and additional practices from other standards.
    • Organizations should demonstrate that they practice Good Cyber Hygiene, like threat information sharing with key stakeholders and multi-factor authentication (MFA).

Level 4 & 5

  • Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
    • CMMC Levels 4 and 5 require an organization to align with 156 and 171 practices, respectively, and review and measure the effectiveness of those practices. Documented evidence must be available demonstrating that the organization is continuously optimizing the process implementation.
    • Organizations should demonstrate that they practice Proactive or Advanced/Progressive cybersecurity standards, like network segmentation, use of DLP technologies, 24/7 SOC operation, and real-time asset tracking.

What steps can I take to prepare for compliance?

Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. If you’d like to learn more about what practical steps you can to prepare, we wrote, “The Step-by-Step Guide to Prepare for the CMMC.”

Fast-Track your CMMC Compliance

Learn how Isora GRC helps fast-track DFARS Interim Rule compliance and CMMC preparation across your systems.

What does a CMMC audit involve?

Although the CMMC-AB has yet to define how a CMMC audit will be conducted, the CMMC Assessment Guide for Level 1 and Level 3 gives us some idea.

  • During the actual audit, a CMMC-AB Certified Assessor (CA) will lead the audit process.
  • The audit process will take anywhere from 2 days up to one week depending on the size of your environment and number of locations.
  • On the first day of the audit, the CA will give a presentation to the management team about the objective of the audit and a plan for conducting the audit.
  • During the audit, the CA and the team will review the policies, practices, and plan documentation.
  • The CA will verify everything stated in those documents and ensure everything is implemented and followed.
  • They will collect syslogs, screenshots, data points, paper trails, emails, and any evidence relevant to the audit.
  • There will be interviews conducted with the system administrators, help desk personnel, regular users, management, etc., to verify the process.
  • All of the collected evidence will be submitted to CMMC-AB as part of the CMMC Certification recommendation step by the CA.
  • The CMMC-AB reviews all evidence and CAs recommendation before making a final decision.
  • Your certification will be active for three years. After those three years, you’ll need to recertify.


The CMMC is here. Organizations that are interested in bidding for federal contracts should start preparing for the CMMC now. It takes some time to prepare, implement, and document all of those controls for any organization, whether big or small. The CMMC also requires that organizations have a mature process in place, meaning the processes are implemented and maintained over time. Although your organization can opt for manual and potentially insecure processes involving spreadsheets, cloud drives, and email communication, it can instead opt for automated software solutions like Isora GRC, making it easier to manage compliance.