Cyber Maturity Model Certification (CMMC)

What Is Cyber Maturity Model Certification (CMMC)?

The Cyber Maturity Model Certification (CMMC) is a certification program developed by the U.S. Department of Defense to ensure that contractors and subcontractors who handle sensitive information have adequate cybersecurity practices in place. It applies to any organization in the Defense Industrial Base (DIB) that processes, stores, or transmits Controlled Unclassified Information (CUI).

Description

CMMC 2.0 is structured across three maturity levels, each requiring an increasing set of cybersecurity practices aligned to NIST SP 800-171. Level 1 requires annual self-assessment against 17 basic practices. Level 2 requires a third-party assessment against 110 practices. Level 3 is reserved for the most sensitive programs and requires government-led assessments. Achieving CMMC certification is increasingly a prerequisite for winning DoD contracts.

Usage and Examples

A defense contractor handling technical drawings for military hardware must achieve CMMC Level 2 certification before bidding on new DoD contracts. This involves assessing their current controls against NIST 800-171, remediating gaps, and undergoing a C3PAO assessment.

Evolve Security's Advisory service supports defense contractors navigating the CMMC certification process and preparing their security programs for assessment.