CMMC
Definition
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard required for organizations in the Defense Industrial Base (DIB) seeking Department of Defense contracts. CMMC 2.0 establishes three levels of cybersecurity maturity, with Level 2 aligning to the 110 security requirements of NIST SP 800-171 for protecting Controlled Unclassified Information (CUI).
CMMC 2.0 Levels
Level 1: Foundational
17 practices based on FAR 52.204-21 for protecting Federal Contract Information (FCI). Self-assessment allowed. Applies to contractors handling FCI but not CUI.
Level 2: Advanced
110 practices aligned with NIST SP 800-171 for protecting CUI. Requires third-party assessment by a C3PAO for critical national security information. Self-assessment allowed for select contracts.
Level 3: Expert
110+ practices based on NIST SP 800-172 for protecting CUI against advanced persistent threats. Requires government-led assessment by DIBCAC.
Key CMMC Concepts
CUI Environment -- the boundary of systems that process, store, or transmit Controlled Unclassified Information
System Security Plan (SSP) -- the foundational document describing how each requirement is implemented
Plan of Action and Milestones (POA&M) -- documented plan for closing gaps, limited to 180 days under CMMC
SPRS Score -- Supplier Performance Risk System score reflecting self-assessment results against NIST 800-171
C3PAO -- Certified Third-Party Assessment Organization authorized to conduct CMMC Level 2 assessments
Scope reduction -- using network segmentation and enclaves to minimize the CUI environment and assessment scope