Everything about the Cybersecurity Maturity Model Certification (CMMC)

Table of Contents

What is the CMMC?
When am I required to comply?
What’s the difference between NIST 800-171 and the CMMC?
Who needs to comply?
What happens if I don’t comply?
What’s involved in compliance?
What documentation is required?
What steps can I take to prepare for compliance?
What does a CMMC audit involve?


Over the past few years, the Defense Industrial Base (DIB) and the Department of Defense (DoD) supply chain has been the target of cyberattacks from nation-states and other malicious actors. In response to this growing threat and a need to better assess and enhance the DIB cybersecurity maturity, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC). Specifically, its purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC is not straightforward, requiring a lot of time and preparation. However, with some basic understanding of the requirements, you can effectively prepare your organization for certification. In this guide, we cover everything you need to know about the CMMC.

What is the CMMC?

The CMMC stands for “Cybersecurity Maturity Model Certification.” It is a relatively new cybersecurity compliance standard that the Department of Defense (DoD) requires for contract awards. It provides the DoD a verification mechanism to ensure that its contractors and subcontractors implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

The CMMC covers five maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” and includes a third-party certification requirement for levels 1, 3, 4, and 5. There is no certification for CMMC Level 2.

When am I required to comply?

When the CMMC is fully rolled out, your organization will need to be certified before it receives its contract award. If during the bid submission process your organization isn’t certified, it’ll need to indicate it’ll be certified by the contract award date. If you can’t prove your certification, the DoD will not award you the contract.

However, as of publishing the blog post, the DoD has not fully implemented the CMMC. Instead, on September 29, 2020, it published the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule and later went into effect on November 30, 2020. The Interim Rule kickstarted the five-year, phased rollout (November 30, 2020–September 30, 2025) of the CMMC. Among the text, the Interim Rule requires contractors to self-assess against National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, use the DoD Assessment Methodology to create a score, and submit that score in the Supplier Performance Risk System (SPRS).

What’s the difference between NIST 800-171 and the CMMC?

In terms of compliance, the CMMC requires specific documentation to be certified at level 3 and above. Previously, contractors had to certify themselves, stating they had either implemented or were in the process of implementing all 110 NIST 800-171 controls. As one would imagine, this process introduced too many errors and discrepancies, making it an unreliable process for the DoD. Through the new requirements, some of which the DFARS Interim Rule introduced recently, the DoD now requires all contractors to self-assess against NIST 800-171 using the DoD Assessment Methodology and eventually be certified at CMMC Level 1, at a minimum, through a Third-Party Assessor Organization (C3PAO).

In terms of cybersecurity frameworks, NIST 800-171 and CMMC are not starkly different. CMMC Levels 1–3 primarily mirror the entirety of NIST 800-171. In addition to the 14 other domains covered in NIST 800-171, CMMC adds three additional domains which include, ” Asset Management,” “Recovery,” and “Situational Awareness,” bringing the total number of domains to 17. Additionally, CMMC Levels 4 & 5 introduce 30 new practices from FAR clause 52.204-21, NIST 800-171B (soon to be named NIST 800-172), as well as other practices from the Center for Internet Security (CIS), CERT Resilience Management Model (CERT-RMM), and NIST Cybersecurity Framework (CSF).

CMMC Level Practices Introduced Source
48 CFR 52.204-41 NIST SP 800-171 NIST SP 800-172 Other
1 17 15 17
2 55 48 7
3 58 45 13
4 26 11 15
5 15 4 11

Who needs to comply?

Eventually, any contractor that works for the United States Federal Government will be required to get certified. In the short-term, the CMMC will only apply to DoD contracts, appearing as a requirement only in select contracts, then, over the FY2021–FY2025 phased rollout introduced with the DFARS Interim Rule, to 100% of contracts. The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and the DoD will work together to identify those initial contracts. The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

What happens if I don’t comply?

Non-compliance means you could either lose your current DoD contract or lose the ability to win contract awards altogether. Additionally, if your organization falsified information, it could lead to serious legal repercussions under the “False Claims Act.”

What’s involved in compliance?

It depends on what CMMC level your organization is targeting. Each level consists of a series of practices or security controls that add up cumulatively with each higher level.

Level 1

  • Safeguard FCI
    • CMMC Level 1 requires that an organization align with 17 specified practices. Documentation at this stage may be helpful but not required.
    • Organizations should demonstrate that they practice Basic Cyber Hygiene like antivirus, FAR requirements, and ad-hoc incident response.

Level 2

  • Transition step towards protecting CUI
    • CMMC Level 2 requires that an organization align with 72 practices and establish policies and procedures. Documentation is required to demonstrate how the organization implements the policies and procedures. There is no certification for this level.
    • Organizations should demonstrate that they practice Intermediate Cyber Hygiene, like awareness & training, risk management, security continuity, and back-ups.

Level 3

  • Protect CUI
    • CMMC Level 3 requires an organization to align with 130 practices and establish, maintain, and resource a plan demonstrating the management of practice implementation activities. This level encompasses all of the practices specified in NIST 800-171 and additional practices from other standards.
    • Organizations should demonstrate that they practice Good Cyber Hygiene, like threat information sharing with key stakeholders and multi-factor authentication (MFA).

Level 4 & 5

  • Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
    • CMMC Levels 4 and 5 require an organization to align with 156 and 171 practices, respectively, and review and measure the effectiveness of those practices. Documented evidence must be available demonstrating that the organization is continuously optimizing the process implementation.
    • Organizations should demonstrate that they practice Proactive or Advanced/Progressive cybersecurity standards, like network segmentation, use of DLP technologies, 24/7 SOC operation, and real-time asset tracking.

What documentation is required?

The CMMC states that starting with Level 2, the organization should have supporting documentation for their implementation of the CMMC processes. These involve creating documents for the organization’s Policies, Practices, and Plans.

Policy Documentation

Establish the organizational expectations for planning and performing the distinct CMMC practices and communicate these expectations via policy. The policy should reflect higher-level managers’ objectives for the process. At a minimum, the policy should:

  • Clearly state the purpose of the policy
  • Clearly define the scope of the policy
  • Describe the roles and responsibilities of the activities covered by this policy
  • Establish or direct establishment of procedures to carry out and meet the intent of the policy, including any regulatory guidelines this policy addresses

All policies must have documented CMMC practices that implement the policy.

Practices Documentation

Practices discuss specific activities involved in satisfying the intent of the related policy. The practices define the activity and prescribe the specific activities involved to meet the policy. The practice must include all activities in the CMMC domain, up to the level of CMMC assessment.

Plan Documentation

Establish and maintain the plan for performing the process. The should include strategic-level objectives that can be used to inform senior leadership of the status of the organization as it relates to each CMMC domain.

Additional clarifications are available in CMMC Model Appendices for each control.

What steps can I take to prepare for compliance?

For starters, don’t get overwhelmed with all of the practices and procedures. It helps to come up with a simple game plan and start attacking them one by one. Here is a simple checklist that will help you prepare for CMMC:

Scope your FCI and CUI Enclaves

Not every part of your organization needs to comply. You can carve out the segment in your network/VLAN that processes FCI and CUI and only focus on helping that segment align with the distinct practices.

Create a System Security Plan (SSP)

Your SSP is a key, evolving, technical document that describes your FCI and CUI to an auditor. It should specify your network, assets, and data flow, and implementation level of each practice.

Choose a Reliable Compliance Workflow

Most organizations choose to use manual, insecure, and siloed tools like spreadsheets, cloud drives, and email communication to manage compliance and conduct assessments. Although these methods get the job done, they require significant FTE investments, produce inaccurate results, and don’t scale well over time. Instead, organizations can opt for an automated software solution like Isora GRC, which helps them conduct assessments, securely collect evidence, export SSPs, and more in a single, end-to-end assessment platform.

Start a Self-Assessment

  • Begin with Level 1
    • Assess your organization against the first 17 practices, which are relatively easier to tackle.
  • Progress to Level 2 & 3
    • Move on to the additional 52 practices in CMMC Level 2 then the additional 58 practices in CMMC Level 3. At CMMC Level 3, design and deploy a process to collect and document evidence for all 130 practices.
  • Self-Assess Against NIST 800-171 (DFARS Interim Rule)
    • Whenever you feel relatively confident, conduct an your NIST 800-171 Basic Assessment. You will also use the DoD Assessment Methodology to create your Supplier Performance Risk System (SPRS) score.
    • Ultimately, you might not be prepared but will still need to conduct the self-assessment and create an SPRS score. Over time, as you implement more practices, you can update your score. The self-assessment will instead give you a good idea of where you are and What work you need to do to prepare for certification.

Input your Supplier Performance Risk System (SPRS) Score

Log into the SPRS and input the score for your contract and relevant CAGE code.

Choose a CMMC Level

Choosing a CMMC level will all depend on your contract and the kind of data that you handle. If it’s only FCI (the majority of contracts), you’ll most certainly be required to certify at CMMC Level 1. If you handle CUI, you will most certainly be required to certify at CMMC Level 3. In general, it is sound to strive for CMMC Level 3 as much as possible as this will ensure that your organization is doing everything it can to protect against cyber threats.

Conduct a CMMC Pre-Assessment

The CMMC Pre-aAssessment is an “internal tool” you should use to measure your readiness to be certified. It’s only purpose is to help you identify gaps and create a Plan of Actions & Milestones (POA&M).

Build off of your NIST 800-171 Basic Assessment and assess against the additional 20 practices included in CMMC Level 3. You’ll want to identify whether the practices are fully implemented, partially implemented, or not implemented at all.

Collect Evidence

The CMMC Pre-Assessment is also a great tool to use to start collecting evidence. As you assess the implementation of each practice, collect any artifacts related to each of them. The more artifacts, the better. Artifacts can include policy documents, screenshots, logs, emails, etc. Ultimately, the evidence is required to help an auditor undoubtedly certify you at one of the CMMC levels.

Choose a CMMC Third-Party Assessment Organization (C3PAO)

The only way to get certified is through a C3PAO. The CMMC Accreditation Body (CMMC-AB), a non-profit, independent organization, accredits a C3PAO. The CMMC-AB has a marketplace that includes a list of approved C3PAOs and other information on their website. You can also work with a C3PAO to help you prepare for the CMMC, but that same C3PAO cannot certify you as well.

Fast-Track your CMMC Compliance

Learn how Isora GRC helps fast-track DFARS Interim Rule compliance and CMMC preparation across your systems.

What does a CMMC audit involve?

Although the CMMC-AB has yet to define how a CMMC audit will be conducted, the CMMC Assessment Guide for Level 1 and Level 3 gives us some idea.

  • During the actual audit, a CMMC-AB Certified Assessor (CA) will lead the audit process.
  • The audit process will take anywhere from 2 days up to one week depending on the size of your environment and number of locations.
  • On the first day of the audit, the CA will give a presentation to the management team about the objective of the audit and a plan for conducting the audit.
  • During the audit, the CA and the team will review the policies, practices, and plan documentation.
  • The CA will verify everything stated in those documents and ensure everything is implemented and followed.
  • They will collect syslogs, screenshots, data points, paper trails, emails, and any evidence relevant to the audit.
  • There will be interviews conducted with the system administrators, help desk personnel, regular users, management, etc., to verify the process.
  • All of the collected evidence will be submitted to CMMC-AB as part of the CMMC Certification recommendation step by the CA.
  • The CMMC-AB reviews all evidence and CAs recommendation before making a final decision.
  • Your certification will be active for three years. After those three years, you’ll need to recertify.


The CMMC is here. Organizations that are interested in bidding for federal contracts should start preparing for the CMMC now. It takes some time to prepare, implement, and document all of those controls for any organization, whether big or small. The CMMC also requires that organizations have a mature process in place, meaning the processes are implemented and maintained over time. Although your organization can opt for manual and potentially insecure processes involving spreadsheets, cloud drives, and email communication, it can instead opt for automated software solutions like Isora GRC, making it easier to manage compliance.