Is your company CMMC compliant ?

Cybersecurity Maturity Model Certification (CMMC) is a DoD certification process that measures a Federal Prime or Sub-Contractor company’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC combines various cybersecurity standards and maps the best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced security requirements.

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.

  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC level
  • The intent is for certified independent 3rd party organizations (C3PAO) to conduct audits and inform risk.

The CMMC model framework (Figure 1) categorizes cybersecurity best practices at the highest level by domains.

Figure 1: CMMC Domain, Capabilities, Practices and Processes

Each domain is further segmented by a set of capabilities. Capabilities are achievements to ensure cybersecurity objectives are met within each domain. Companies will further demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which have been mapped across the five maturity levels of CMMC.

Under this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company’s processes.

Within each domain, DIB companies will be accredited under the CMMC only if they can demonstrate compliance with the required practices and demonstrate mature processes as required for the given CMMC level.

The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid.

The CMMC model has five defined levels, each with a set of supporting practices and processes. Practices range from Level 1 (basic cyber hygiene) and to proactive and advanced Levels 4 and 5. In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.

Level Number of Practices Requirements
One – Basic Cyber Hygiene 17 · Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204- 21
Two – Intermediate Cyber Hygiene 72 · Comply with the FAR.

· Includes a subset of 48 practices made from the NIST SP.

· Includes an additional 7 practices to support intermediate cyber hygiene.

Three – Good Cyber Hygiene 130 · Comply with the FAR.

· Encompasses all practices from NIST SP 800-171 r1.

· Includes an additional 20 practices to support good
cyber hygiene.

Four – Proactive 156 · Comply with the FAR.

· Encompasses all practices from NIST SP 800-171 r1.

· Includes a select subset of 11 practices from Draft NIST SP 800-171B.

· Includes an additional 15 practices to demonstrate a proactive cybersecurity program.

Five – Advanced/Progressive 171 · Comply with the FAR.

· Encompasses all practices from NIST SP 800-171 r1.

· Includes a subset of 4 practices from Draft NIST SP 800-171B.

· Includes an additional 11 practices to demonstrate an advanced cybersecurity program.


What we offer

• Ground up CMMC compliance
• Maturing from one CMMC level to the next
• Gap analysis
• Control Selection and Tailoring
• Control Implementation guidance
• Develop System Security Plan (SSP)
• Develop Plan of Action and Milestones (POA&Ms)
• Audit ready artifacts
• Managed Security Service Provider for ongoing CMMC compliance

Time is running out on CMMC compliance. We can help you jumpstart your CMMC journey. Please get in touch with us today at inquiries

Mohammad K.
Security Blogger at InterSec,Inc.