MSU SBDC CyberSecurity

CMM Overview

security shield graphic The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs) and the Defense Industrial Base (DIB) to measure an organization's cybersecurity maturity.

The North Star CMM repurposes the CMMC for broader use by all businesses while maintaining the integrity of the model. The last C is dropped as Certification is a separate business decision from cyber and data protection. The remainder of this page focuses on the structure and practices that must be followed to satisfy each level of the model and is referred to as the CMM.

The CMM spans five levels and aligns processes and practices to the type, and sensitivity, of information that is to be protected from cyber threats. The model includes industry best practices from a variety of cybersecurity standards, frameworks, and direct input from the DIB community. The model was originally designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) held by government contractors. The CMM has wide application for any business that needs to protect confidential information.

The CMM consists of 17 domains. The majority of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171.

MSU SBDC Cybersecurity is not a certifying body and has no affiliation with the CMMC Accreditation Board (CMMC-AB). As the CMM is discussed, we provide broad guidance on how to protect a business’s confidential information.

CMM Levels

Each level of the CMM builds on the level prior to it and the organization will implement additional controls as it moves up to higher levels. There are a total of 171 practices that are divided among the five levels. The model is cumulative in nature. For example, if an organization would like to satisfy all practices up to Level 3, they would have to implement practices from Level 1, Level 2, and Level 3. Below is a description of the intended purpose behind each level and the type of information that will be protected.

level 1 header image
CMM Level 1 is the baseline that any organization with a government contract must have. It is composed of 17 practices that outline the requirements for Basic Cyber Hygiene according to the CMM. Level 1 is equivalent to all the safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21. Its main focus is the protection of Federal Contract Information (FCI).
level 1 header image
CMM Level 2 is an intermediate step for organizations attempting to achieve Level 3 of CMM. It requires a total of 72 practices (it includes practices from Level 1). This level is used to progress to the protection of Control Unclassified Information (CUI).
level 1 header image
CMM Level 3 focuses on the protection of CUI. This level encompasses all of the security requirements specified in NIST SP 800-171 as described by DFARS 252.204 plus 20 additional practices. It requires a total of 130 practices.
level 1 header image
CMM Level 4 & 5 focus on using enhanced security requirements that include practices from NIST 800-172. It is expected that only a small portion of the Defense Industrial Base (DIB) will be required to need these levels of certification.

Data Protection

The CMM can be used as a standard to identify the security posture of an organization. For businesses performing government contracts, there are requirements for which level an organization must be certified to receive and keep their government contract.

For businesses that do not have government contracts, the CMM can be used as a vetted cybersecurity standard for protecting any type of information. (e.g. intellectual property, customer data, employee data. etc.).

CMMC Requirements

For businesses that do hold contracts with the U.S. government, there are requirements for which level of the CMMC that needs to be satisfied. This will depend upon what each program office sets for their own RFPs. The required level will be known prior to proposal submission.

The CMMC Accreditation Board (CMMC-AB) offers a marketplace where businesses seeking certification will be able to visit to find a CMMC Third-Party Assessor Organization (C3PAO). C3PAO's are accredited organizations that have been trained on how to properly conduct CMMC assessments.