What You Need to Know about Cybersecurity Maturity Model Certification (CMMC)

It’s coming. That’s the first thing you need to know about the Cybersecurity Maturity Model Certification (CMMC). If your company does work for U.S. Department of Defense (DOD) contracts in any way—from tier I contractors down to the smallest widget maker—you need to be knowledgeable about this accreditation process. The bottom line is that CMMC will be required for contract awards.

In this article, we’re covering the basics: what CMMC is, how it affects you, and the next steps to prepare for certification.

What is CMMC?

CMMC is not just a checklist accreditation or a one-and-done process. Instead, it’s a framework that evaluates a company’s cybersecurity maturity, ensuring a progression toward stronger security practices. In Microsoft’s Technical Reference Guide for CMMC, the certification is described as “a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which includes over 300,000 commercial companies in the supply chain.” CMMC was developed in response to the increasing number of cybersecurity threats targeting both the country and individual businesses.

Who Certifies for CMMC?

The CMMC Accreditation Body (CMMC-AB) oversees the vetting, training, and accreditation of third-party assessment organizations (3PAOs). These 3PAOs are responsible for evaluating companies’ cybersecurity practices and assigning their CMMC levels. Organizations must be reassessed every three years to maintain certification, ensuring they continue to improve their cybersecurity posture.

Five Levels of Maturity

The CMMC framework consists of five levels, ranging from basic security measures to highly advanced protections.

• Level 1 includes basic security practices, equivalent to the requirements in the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. Companies currently fulfilling DOD contracts already meet this baseline.
• Level 2 builds upon Level 1 by adding 48 additional controls from the National Institute of Standards and Technology (NIST) SP 800-171 r1. It serves as a transitional step for companies aiming for Level 3 certification.
• Level 3 is where more rigorous security controls come into play. This level requires companies to implement all practices from NIST 800-171, in addition to 20 more cybersecurity practices. It is considered the “good” cybersecurity hygiene level and is currently the most relevant for contracts being released in 2021 and 2022.
• Level 4 adds 15 more security controls, including requirements from the draft NIST SP 800-171B. Organizations at this level take a proactive approach to cybersecurity.
• Level 5 is the most advanced tier, requiring 171 cybersecurity practices. It includes automation and advanced threat detection to maintain an elite level of security.

Who is Affected by CMMC and When?

Any company within the DOD supply chain that accesses, creates, stores, or disseminates Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is affected. As of now, CMMC certification is required before bidding on government contracts. The general timeline follows these steps:

1. CMMC level designation
2. Bid submission
3. Contract award
4. Defense Federal Acquisition Regulation Supplement (DFARS) self-attestation (if applicable)

By October 2025, all DOD contracts will require a specific CMMC level. However, some contracts are already being released with CMMC requirements.

What’s Next?

The first step to prepare for CMMC is understanding the requirements and assessing your company’s current cybersecurity posture. If your organization hasn’t migrated to Microsoft GCC or GCC High, doing so is highly recommended. Microsoft’s government cloud includes built-in security controls that align with CMMC, reducing the burden of compliance. While Microsoft doesn’t guarantee certification, leveraging their infrastructure can help simplify the process.

As a Microsoft partner specializing in cloud migration, we can help you navigate CMMC certification. Contact us to discuss how your organization can prepare.

Resources

• CMMC Accreditation Body. (2021, May 26). CMMC Frequently Asked Questions.
  🔗 https://cmmcab.org/faq/

• Microsoft. (2021, September). Microsoft Technical Reference Guide for CMMC.
  🔗 https://www.microsoft.com/en-us/download/details.aspx?id=103401

• Meacham, P., West, P., & Meyer, W. Start Your CMMC Compliance Journey on the Right Foot [Webinar]. Microsoft.
  🔗 https://info.microsoft.com/en-us-ondemand-StartyourCMMCcompliancejourneyontherightfoot-none.html

• Wakeman, Richard. (2020, October 28). Accelerating CMMC Compliance for Microsoft Cloud.
  🔗 https://techcommunity.microsoft.com/t5/public-sector-blog/accelerating-cmmc-compliance-for-microsoft-cloud-in-depth-review/ba-p/1825671