Cybersecurity Maturity Model Certification for DoD Contractors


DoD contractors must be familiar with the Cybersecurity Maturity Model Certification (CMMC). Here are the important things you should understand.

Experts believe within ten years, there will be a ransomware attack every 2 seconds. As ransomware attacks become more of an everyday nuisance, they are far from slowing down.


Thus, cybersecurity is an increasingly important topic to discuss. It's evermore valid for safeguarding the most vulnerable information. In 2020, the Department of Defense (DoD) announced that all DoD contractors must follow CMMC standards. 

What does this mean for government contractors? This article is going to tell you everything you need to know. 

What is CMMC?

The cybersecurity maturity model certification (CMMC) is a standardized model for implementing cybersecurity. It pertains to those in the Defense Industrial Base (DIB). The DIB includes more than 100,000 companies and their subcontractors. They provide several services for the DoD.

In the past, DoD contractors were responsible for implementing, monitoring, and certifying their security. Contractors need protection for information technology systems. These systems store and transmit sensitive DoD information.

Yet, the DoD recognized that self-control of cybersecurity certifications for subcontractors wasn't enough. The rise of digital technology brought new threats with it. There are more attacks on the supply chain than ever before.

So, new clauses require contractors to adhere to compliance requirements. 

The CMMC will measure a company's classification of cybersecurity practices and processes. By October 1, 2025, all DoD contractors and subcontractors will need to follow CMMC guidelines. 

However, contractors must start implementing the new compliance system into their practices now. This is because the DoD has begun the certification process. Thus, they already require some of the minimal requirements to become a DoD contractor.

The CMMC Framework for DoD Contractors

The framework has 17 domains of technical capability. Each tier lays more practices and processes with five levels of certification (L1-L5). DoD contractors must have a CMMC Level 3 certification before receiving controlled unclassified information (CUI).

The 17 domains are:

  • Access control 
  • Asset management
  • Audit and accountability
  • Awareness and training
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Recovery
  • Risk Management
  • Security Assessment
  • Situational Awareness
  • System and communication protection
  • System and information integrity

The CMMC Accreditation Board appoints Certified Third-Party Assessor Organizations (C3PAOs) to assess and audit a contractor's tier score. The CMMC certification is good for three years.

Leveled Practices and Process Maturity

To meet a CMMC level, contractors must show technical practices and maturity processes for that level and all preceding lower levels.   Level 1 is for basic cybersecurity practices. It focuses on protecting federal contract information (FCI). FCI is information not intended for public release.

Process maturity is not assessed at Level 1 and only begins at Level 2.  Level 2 is an intermediate step in maturity progression. So is it where a company establishes and documents practices within a domain. A guiding policy that states the objectives of the CMMC domain must be in place.

Level 3 focuses on protecting CUI. For maturity level 3, an organization must establish, maintain, and resource a plan for managing domain practices.

Level 4 creates a shift for DoD contractors to focus on proactive activities. This level centers on protecting, detecting, and responding to threats. Organizations need to be able to adapt to changing tactics, techniques, and procedures (TTPs).

Advanced persistent threats (APTs) use TTPs in attacks. 

Maturity level 4 focuses on effectiveness and corrective actions. 

Level 5 centers on protecting CUI from APTs. The practices at Level 5 are the most sophisticated of all cybersecurity capabilities. Maturity level 5 requires standardization and optimization throughout the company. 

Tiers of System Assessments

There are three types of assessments organizations can go through to receive compliance. The first is a basic assessment, which is a self-assessment. The organization starts will 110 points. Then, it subtracts the value assigned to any not-yet-implemented categories laid out by the National Institute of Standards and Technology (NIST). 

The score goes into the Supplier Performance Risk System (SPRS) database.

The second is a medium-government assessment. Contractors with sensitive information or special defense programs must have a government assessment. The DoD will assess the organization's System Security Plan (SSP).

The last option is a high-government assessment. It includes everything from the medium review. But it also has a demonstration of security systems for assessors.

CMMC vs. DFARS

Before CMMC, there was the Defense Federal Acquisition Regulation Supplement (DFARS). The program started in 2016. It was the government's first attempt to protect itself from cybersecurity attacks.

DoD contractors needed to have the security controls in DFARS to protect CUI. They also needed to have simple reporting processes in place. The main goal of DFAR was to protect against cybersecurity threats. But also to respond to breaches as fast and efficiently as possible. Contractors that didn't meet these standards couldn't work with the DoD.

DFARS and CMMC are very similar in many ways. Experts used the DFARS framework to build CMMC. Both target contractors and subcontractors on how to protect CUI with security controls. Yet, CMMC is a more complex system with its maturity levels and compliance structure. In addition, while DFARS allows for self-assessment, CMMC requires an assessment by a third party. 

Even with CMMC in place, the DoD is still using DFARS. Together, they create a more secure environment for government agencies and contractors. As a result, organizations using both can withstand advanced cybersecurity threats.

DoD contractors will need to follow both guidelines to stay compliant and work with the DoD from now on. It is the only way organizations can remain secure enough to protect data flowing in and out of their systems. Furthermore, CMMC is still evolving. This means the DoD may put more security measures into place over time.

Work with a CMMC Registered Provider Organization (RPO)

As cyber threats continue to worsen, the most sensitive data needs to remain secure. Following the CMMC, DoD contractors will have a better framework and understanding for how to do so. Notably, the CMMC doesn't only apply to the DoD. Businesses of all sizes should be aware of cybersecurity threats against them.


Bridgehead IT is a CMMC Registered Provider Organization (RPO).

We have expertise in CMMC Compliance and a full range of Cyber Security and Compliance Solutions.

Contact us today about a security risk assessment for your business. 

[email protected]

(210) 477-7900

DID YOU KNOW?

Bridgehead IT is a CMMC Registered Provider Organization (RPO).

We have expertise in CMMC Compliance and a full range of Cyber Security and Compliance Solutions.