The Cybersecurity Maturity Model (CMM) is a document developed by the Office of the Under Secretary of Defense for
Acquisition and Sustainment (OUSD(A&S)) to measure an organization's cybersecurity maturity. The CMM is based on the
Cybersecurity Maturity Model Certification or CMMC. The final C is dropped as Certification is an important, but
separate business decision from data protection. Following the
Program from ASBDC, our focus is on the model and helping organizations to protect their own important information.
The CMM spans five levels and aligns processes and practices to the type, and sensitivity, of information that is to
be protected from cyber threats. The model includes industry best practices from a variety of cybersecurity standards,
frameworks, and direct input from the Defense Industrial Base (DIB) community on what is needed to protect Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI).
The CMM consists of 17 domains. The majority of these domains originate from the security-related areas in Federal
Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171.
Each level of the CMM builds on the level prior to it and the organization will implement additional controls as it moves up to
higher levels. There are a total of 171 practices that are divided among the five levels. The model is cumulative in nature. For
example, if an organization would like to satisfy all practices up to Level 3, they would have to implement practices from Level 1,
Level 2, and Level 3. Below is a description of the intended purpose behind each level and the type of information that will be
- CMM Level 1 is the baseline that any organization with a government contract must have. It is composed of 17
practices that outline the requirements for Basic Cyber Hygiene according to the CMM. Level 1 is equivalent to all
the safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21. Its main focus is the protection
of Federal Contract Information (FCI).
- CMM Level 2 is an intermediate step for organizations attempting to achieve Level 3 of CMM. It requires a total
of 72 practices (it includes practices from Level 1). This level is used to progress to the protection of Control
Unclassified Information (CUI).
- CMM Level 3 focuses on the protection of CUI. This level encompasses all of the security requirements specified
in NIST SP 800-171 as described by DFARS 252.204 plus 20 additional practices. It requires a total of 130 practices.
- CMM Level 4 & 5 focus on using enhanced security requirements that include practices from NIST 800-172. It is
expected that only a small portion of the Defense Industrial Base (DIB) will be required to need these levels of
CMM Levels 1-3 will be covered in this training content.
The CMM was developed as a standard to identify the security posture of an organization. For businesses performing
government contracts, there are requirements for which level an organization must be certified to receive and keep their
For businesses that do not have government contracts, the CMM can be used as a vetted cybersecurity standard for
protecting any type of information. (e.g. intellectual property, customer data, employee data. etc.).
The requirements for which level needs to be satisfied will depend upon what each program office sets for their own
RFPs. The required level will be known prior to proposal submission.
The CMM Accreditation Board (CMM-AB) is organizing a marketplace where organizations seeking certification will
be able to visit to find a CMMC Third-Party Assessor Organization (C3PAO). C3PAO's are accredited organizations
that have been trained on how to properly conduct CMMC assessments. The AB will then review the findings and be
responsible for providing the accreditation.