INSIGHT

What is CMMC? A guide to the Cybersecurity Maturity Model Certification 

Sarah A. Lynn • February 26, 2025

Services: IT Security & Compliance

---

The Department of Defense (DoD) has implemented a groundbreaking cybersecurity program that affects thousands of contractors and subcontractors across the defense industrial base (DIB). The Cybersecurity Maturity Model Certification (CMMC) creates a standardized framework to protect sensitive defense information from increasingly sophisticated cyber threats.  

This article will explore the fundamentals of CMMC, its implementation requirements, certification levels and the steps organizations must take to achieve compliance. 

Understanding CMMC basics 

The CMMC framework safeguards two critical types of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The DoD developed this program to address the growing concern of cyber-attacks targeting defense contractors and their supply chains.  

The framework replaces or enhances the previous self-attestation model with a rigorous third-party assessment system. This shift represents a significant change in how the defense industry approaches cybersecurity, moving from a trust-based model to a verify-based approach. 

“If you are not sure of your CUI or level, a third party is a good idea. All others, Level 1 or greater, must have third party auditor and an advisor/assessor beforehand is helpful.” – Sarah A. Lynn, BPM Advisory Partner, IT Security & Compliance Subject Matter Expert     

Who needs CMMC certification? 

All DoD prime contractors and subcontractors must obtain CMMC certification before being awarded contracts containing the CMMC DFARS clause. The certification level required depends on the type of information handled and the contract specifications.  

Even small businesses within the DIB must meet these requirements, though the framework includes cost-effective controls for lower certification levels. Organizations must carefully assess their contractual obligations and information handling requirements to determine the appropriate certification level. 

The three levels of CMMC 

The CMMC framework consists of three progressive levels, each building upon the previous one: 

Level 1 – Foundational 

This level focuses on basic cyber hygiene practices to protect FCI. Organizations must implement 17 fundamental security practices, including regular password changes and basic access controls. This level serves as the entry point for many small contractors and subcontractors working with the DoD. 

Level 2 – Advanced 

Organizations at this level must demonstrate good cyber hygiene practices through 110 security requirements aligned with NIST 800-171 r2. This level specifically protects CUI and requires a documented management plan. The increased requirements reflect the sensitive nature of CUI and the need for more sophisticated protection measures. 

Level 3 – Expert

The highest level demands optimized processes and enhanced security practices to counter advanced persistent threats (APTs). Organizations must implement additional controls beyond Level 2 requirements and demonstrate sophisticated threat detection capabilities. This level is designed for organizations handling the most sensitive unclassified information and those facing sophisticated cyber threats. 

“The significance is the customer’s understanding of their level. If they don’t understand what CUI they have, if they haven’t assessed and maintained that, they need to find out long before an audit.” – Sarah A. Lynn 

Implementation requirements 

Organizations seeking CMMC certification must address multiple domains of cybersecurity practice. The framework evaluates security measures across 14 domains, including access control, incident response and system monitoring.  

Each level requires organizations to demonstrate both the implementation of security practices and the maturation of security processes. Success requires a comprehensive approach that integrates technical controls, procedural measures and organizational policies. 

The certification process 

Certified Third-Party Assessment Organizations (C3PAOs) conduct CMMC assessments. These authorized bodies evaluate an organization’s cybersecurity practices and processes against the required level’s standards.  

Certifications remain valid for three years, requiring organizations to maintain continuous compliance. The assessment process includes documentation review, system testing and personnel interviews to verify the effectiveness of implemented controls. 

Cost considerations and preparation 
The DoD recognizes the financial impact of CMMC implementation, particularly on smaller contractors. The framework allows organizations to build their cybersecurity capabilities gradually, making the process more manageable for businesses with limited resources. Organizations should consider several factors when preparing for certification: 

• Current cybersecurity posture assessment 
• Gap analysis against target certification level 
• Resource allocation for implementation 
• Training and documentation requirements 
• Ongoing maintenance costs 

“Yes, start with the Self-Assessment and if you are not 100% sure or would worry the auditor would not agree, seek an advisor.” – Sarah A. Lynn 

The future of CMMC 

As cyber threats continue to evolve, the CMMC framework will adapt to address new challenges. Organizations must stay current with updates and emerging threats to maintain their certification status and protect sensitive defense information.  

The DIB’s cybersecurity landscape continues to grow more complex, making professional guidance increasingly valuable for organizations seeking and maintaining certification. Regular updates to the framework ensure it remains effective against emerging threats while balancing the need for practical implementation. 

Continuous monitoring and improvement 

Successful CMMC implementation requires ongoing attention to cybersecurity practices. Organizations must establish monitoring programs, conduct regular assessments and maintain documentation of their security practices. This continuous improvement approach helps organizations adapt to new threats and maintain their certification status while strengthening their overall security posture. 

“Most companies are doing something but the spectrum of what and how they monitor is just not covering the CUI. Let us help you look!” – Sarah A. Lynn 

Working with BPM 

BPM offers comprehensive support for organizations navigating the CMMC certification process. Our team provides readiness assessments, gap analysis, remediation planning and implementation guidance tailored to each organization’s unique needs.  

Our proven methodology and dedicated support can help you achieve and maintain compliance while protecting your organization’s role in the defense industrial base. To begin your CMMC certification journey, contact us.