What Is the DoD’s New Cybersecurity Maturity Model Certification, and What Does It Mean for Defense Contractors?

James Masella 70px jpg

James Masella

VP, Compliance Advisory, Coalfire

October 4, 2019

Citing the threat of compromise of Controlled Unclassified Information (CUI) within the defense industrial base (DIB), along with the high cost of cyber breaches in general, the Office of the Assistant Secretary of Defense for Acquisition has initiated a program for rating the cybersecurity maturity of defense contractors. At the program’s core is a new Cybersecurity Maturity Model Certification (CMMC) based on a multi-level and multi-domain matrix of cybersecurity controls. 

A New Standard and a New Requirement

Encompassing existing standards and guidelines, the intent is to provide the Department of Defense (DoD) with a cybersecurity yardstick to inform their acquisition decisions via a consistent certification program—the CMMC. The CMMC program will go into effect in late 2020, and contractors should start seeing maturity level requirements in requests for proposal (RFPs) as early as next summer. 

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment website, all contractors seeking to perform work for the Department of Defense will be required to demonstrate compliance with CMMC v1.0 and receive an independent third-party assessment organization (3PAO) certification by the fall of 2020. While CMMC validation and certification will need to be conducted by 3PAOs, the door is open to allow some organic DoD assessors to be used to conduct higher-level assessments. Contractors will be responsible for engaging a 3PAO to obtain a certification at their desired maturity level. Self-attestations of controls implementation will not be allowed.

A preliminary feedback period on the draft version 0.4 of the CMMC model closed on September 25th. An updated draft, CMMC v0.6, will be open for public review in November 2019. CMMC v1.0 is due to be finalized and released in January 2020, and, by the end of 2020, CMMC certification will be in effect. It has not yet been decided how often, if at all, a contractor must re-certify their maturity level. The CMMC level requirement will be written into contract language; proposal teams can expect this to be spelled out in sections L and M of DoD RFPs beginning next summer.

This maturity model provides an assessment framework to evaluate companies based on their cybersecurity posture (or maturity) from basic cyber hygiene (Level 1) to “highly advanced cybersecurity practices” (Level 5). In order to arrive at Level 5, the model provides an assessment framework of capabilities that cover both processes and practices of the subject organization. Level 3 is currently considered the minimum level on the model that meets the security requirements of NIST SP 800-171 Rev. 1, which forms the compliance standard for National Archive and Records Administration’s (NARA) CUI program and is a baseline requirement in Defense Federal Acquisition Regulation Supplement (DFARS) 7012.

click to enlarge image

Most of the 18 domains are named the same as the security control families within the NIST SP 800-53 standard. Additional domains such as Cybersecurity Governance, Situational Awareness, and Recovery, however, reflect the multi-framework and multi-perspective nature of the model. Additional standards and models that the CMMC pulls from include:

  • CERT Resilience Management Model (CERT-RMM)
  • Defense Industrial Base Sector Coordinating Council (DIB SCC)
  • ISO 27001: 2013 Standard
  • Center for Internet Security’s Critical Security Controls 7.1
  • Aerospace Industries Association’s NAS9933 National Aerospace Standard
  • NIST Cybersecurity Framework
  • NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations
  • NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

3PAO Support

Because CMMC will eliminate contractors’ ability to self-attest as they were able to do in their implementation of NIST 800-171 security controls to protect CUI, they will need to reach out to 3PAOs for assistance. Much as 3PAOs provide assessment, advisory, and engineering support to cloud service providers in FedRAMP, they likely will play a similar role in the implementation of CMMC.


When compared to the adoption of some other compliance frameworks, CMMC is coming quickly! This rigorous maturity model will cover 18 domains from Situational Awareness to Maintenance, System, and Communications Protection. Experienced and highly reputable cybersecurity firms and 3PAOs, like Coalfire, are uniquely positioned to provide assessment and advisory services to help contractors meet their DoD cybersecurity maturity level needs. Please contact Coalfire at if you have additional questions about CMMC.

Ruchi Gupta, Senior Consultant, FedRAMP & Assurance Services, also contributed to this blog.