Ariel Partners E-Logic GEN3 Hunter Strategy JBA Kevadiya Konark NETS Rotunda Solutions Scope IT Consulting Prudent Synaptitude

CMMC - Cybersecurity Maturity Model Certification

CMMC is a five-level cybersecurity assessment and certification model that contractors doing business with DoD- at all levels, must implement and adhere to throughout the duration of contract. Under CMMC, not only DoD contractors are responsible for their companies, but they must also help the sub-contractors they bring on board, so they too have the appropriate CMMC level in place. CMMC is not a self-evaluated process, rather third-party assessment organizations (CP3AOs) will certify the CMMC level of the company – a process that the CMMC accreditation body (CMMC-AB) is currently developing with DoD.

CMMC Levels

Key Information about CMMC

CMMC is applicable to DoD Prime Contractors and their sub-contractors

Contractors must start at level 1 and certify at each level to reach the level 5

CMMC is applicable to some of the new contracts starting Sep. 2020 and then it will be applicable to all contracts effective 2026.

CMMC Domains

There are 17 interdependent cyber-security domains. Majority of which have been taken from FIPS 200 security-related areas and the NIST SP 800-171 control. Following is the list of domains.
  1. Access Control (AC)
  2. Asset Management (AM)
  3. Audit and Accountability (AA)
  4. Awareness and Training (AT)
  5. Configuration Management (CM)
  6. Identification and Authentication (IDA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  10. Personnel Security (PS)
  11. Physical Protection (PP)
  12. Recovery (RE)
  13. Risk Management (RM)
  14. Security Assessment (SAS)
  15. Situational Awareness (SA)
  16. System and Communications Protections (SCP)
  17. System and Information Integrity (SII)

CMMC Links

Here is the link to the original Office of the Under Secretary of Defence for Acquisition & Sustainment Cybersecurity Maturity Model Certification.

FAQ page: CMMC FAQ



Here is the link to the original Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification requirements

Page: CMMC Body



The CMMC Accreditation Body is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community, or other communities that may adopt the CMMC, and does not endorse, support, or promote any organization outside of the Accreditation Body that might use the acronym “CMMC" in their organization name, or in any description of the services they may provide.

Page: CMMCAB.org



CMMC Level 1 Assessment Guide

This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC).



CMMC Level 3 Assessment Guide

This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3 and Level 2.