/

A Look Into CMMC Maturity Framework and its 5 Levels

3 mins read

In January, the U.S. Department of Defense released Version 1.0 of its Cybersecurity Maturity Model Certification framework (CMMC). By 2026, DoD plans to require CMMC certification for all defense contracts. Contractors in the defense industry supply chain will be required to develop, assess, and augment cybersecurity practices, earning different maturity levels. 

The CMMC framework consists of five, cumulative levels of cybersecurity maturity.  Within each maturity level are two types of benchmarks a company must meet to demonstrate achievement at that level, including practices and processes. 

Under practices, the companies must be able to implement cybersecurity measures for each level; for processes, the company must demonstrate that required practices are integrated into each level, which the DoD has labeled institutionalization.

Practices and Processes measure proficiency across a set of domains, such as access control, incident response, and risk management.  DoD has scaled the Practices and Processes to each maturity level based on factors such as the type and sensitivity of information needing protection and the range of threats posed.

As the information sensitivity and adversarial threats involved in a contract increase, the DoD is to require a higher maturity level from bidding contractors.  Level 1 is the most basic level of maturity, where a company may only perform certain security practices on an ad hoc basis. Level 2 is a transitional level of maturity and requires a company to have documented practices.

Level 3 focuses on the protection of CUI and incorporates all NIST SP 800-171 standards, among other practices.  Levels 4 and 5 require greater cybersecurity sophistication, including the ability to proactively measure and assess cybersecurity practices and take corrective action when necessary.  

Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, will serve as a keynote speaker at the CMMC Forum 2020. She will address the CMMC’s timeline, how the certification process could change and will provide a memorandum of understanding with a newly established CMMC accrediting body.

A full expert panel will include Ty Schieber, senior director of executive education and CMMC-AB chairman of the University of Virginia and Richard Naylor of the Defense Counterintelligence and Security Agency among other members of the federal sector and industry.

Register here to join Potomac Officers Club for its CMMC Forum 2020 on April 2 to learn about the impact DoD’s CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.