What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) (which is still being drafted) is a brand-new cybersecurity compliance stipulation for existing Department of Defense (DoD) contractors. CMMC will replace the current self-assessment model and signals a move towards third-party certification.

CMMC will be built upon existing requirements like:

  • NIST SP 800-171
  • NIST SP 800-53
  • AIA NAS9933
  • DFARS 252.204-7012

It’s the next phase of the DoD’s efforts to completely secure all aspects of the Defense Industrial Base (DIB). There will be five (5) CMMC levels designed to assess and measure the cybersecurity practices of contractors, and all vendors should thus prepare by undergoing a thorough CMMC audit:

  • Level 1: Basic Hygiene
  • Level 2: Intermediate Hygiene
  • Level 3: Good Hygiene
  • Level 4: Proactive Hygiene
  • Level 5: Advanced/Progressive Hygiene

Contractors will be judged based on the implementation of technical controls as well as the effectiveness of their documentation and policies. Everyone in the DoD supply chain must be certified. RSI Security is deeply familiar with all the security controls required by the CMMC and can help you prepare to get certified.

Schedule a FREE consultation

What are C3PAO (Certified Third-Party Assessment Organizations)?

C3PAO (Certified Third-Party Assessment Organizations) will be the sanctioned assessors that will be licensed and certified to help you achieve compliance with all CMMC (Cybersecurity Maturity Model Certification) regulations.

RSI Security will be undergoing the process to become a C3PAO (Certified Third-Party Assessment Organization) once made available.

Open Source Code

CMMC Certification Requirements

Any company, business, or organization that does business with the DoD will be required to meet CMMC requirements (once finalized and out of the drafting phase). CMMC levels are put forth by the DoD, and a C3PAO (Certified Third-Party Assessment Organization) will help you determine what level is necessary depending on the type of Controlled Unclassified Information (CUI) you process or handle.

CMMC DoD requirements will also take into account the maturity of your company’s institutional cybersecurity processes and practices. Working with a C3PAO as soon as possible will help you adjust your cybersecurity infrastructure to this new, third-party compliance standard and ensure your continued success as a DoD contractor.

Cybersecurity Maturity Model Certification (CMMC) Levels

CMMC Level 1: Basic Hygiene

Anyone doing business with the DOD must achieve at least a Level 1 compliance. This level requires basic cybersecurity hygiene practices appropriate for smaller companies. There are 17 specific "practices" defined in CMMC v0.7 currently. The final requirements will be released in the official 1.0 release at the end of January.

CMMC Level 2: Intermediate Hygiene

Involves universally accepted cybersecurity best practices that would be well-documented, with access to CUI requiring multi-factor authentication. Level 2 includes 46 total security controls per NIST SP 800-171 rev 1" to "Level 2 includes 55 security practices beyond level 1 per CMMC v0.7.

CMMC Level 3: Good Hygiene

Level 3 requires 59 practices beyond Level 2. Processes at this level are well-followed and maintained, with a comprehensive knowledge of all cyber assets.

CMMC Level 4: Proactive Hygiene

Level 4 requires the implementation of 26 additional advanced and sophisticated cybersecurity practices based largely on the CMMC v0.7 adaptation of NIST SP 800-171B. Level 4 processes are regularly reviewed, properly resourced, and improved company-wide. Breach responses must operate at machine speed.

CMMC Level 5: Advanced / Progressive

Level 5 requires 44 additional security practices, most of which are CMMC adaptations of NIST SP 800-171B. Highly advanced cybersecurity practices must be in place, and processes implemented at this level must be continually reviewed and improved across your enterprise with machine-speed breach response.

How can RSI Security help your organization prepare for certification?

Cybersecurity Maturity Model Certification (CMMC) doesn’t have to be a headache. As a top compliance certification company, RSI Security can help you prepare to meet the drafted CMMC certification requirements as soon as possible.

As a seasoned QSA (Qualified Security Assesor), ASV (Approved Scanning Vendor), authorized HITRUST CSF Assessor, and veteran in helping companies achieve compliance in various frameworks and industries including NIST 800-171 and DFARS we are prepared to help you get all of your internal processes and practices up to par in preparation for CMMC.

Ready to get started? Contact a compliance expert at RSI Security now to start preparing for your own upcoming CMMC assessment.

Woman using OSS automation tool

Act Now

Get started on your CMMC compliance journey. Speak with one of our compliance experts today!


RSI Security Client - Finix Payments
Cisco Impact
RSI Security Client - Jet's Pizza
HD Vest
Verizon Wireless