MSU SBDC CyberSecurity

CMM Overview

security shield graphic The Cybersecurity Maturity Model (CMM) is a document developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to measure an organization's cybersecurity maturity. The CMM is based on the Cybersecurity Maturity Model Certification or CMMC. The final C is dropped as Certification is an important, but separate business decision from data protection. Following the North Star CMM Program from ASBDC, our focus is on the model and helping organizations to protect their own important information.

The CMM spans five levels and aligns processes and practices to the type, and sensitivity, of information that is to be protected from cyber threats. The model includes industry best practices from a variety of cybersecurity standards, frameworks, and direct input from the Defense Industrial Base (DIB) community on what is needed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMM consists of 17 domains. The majority of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) Publication 200 and the related security requirement families from NIST SP 800-171.

CMM Levels

Each level of the CMM builds on the level prior to it and the organization will implement additional controls as it moves up to higher levels. There are a total of 171 practices that are divided among the five levels. The model is cumulative in nature. For example, if an organization would like to satisfy all practices up to Level 3, they would have to implement practices from Level 1, Level 2, and Level 3. Below is a description of the intended purpose behind each level and the type of information that will be protected.

level 1 header image
CMM Level 1 is the baseline that any organization with a government contract must have. It is composed of 17 practices that outline the requirements for Basic Cyber Hygiene according to the CMM. Level 1 is equivalent to all the safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21. Its main focus is the protection of Federal Contract Information (FCI).
level 1 header image
CMM Level 2 is an intermediate step for organizations attempting to achieve Level 3 of CMM. It requires a total of 72 practices (it includes practices from Level 1). This level is used to progress to the protection of Control Unclassified Information (CUI).
level 1 header image
CMM Level 3 focuses on the protection of CUI. This level encompasses all of the security requirements specified in NIST SP 800-171 as described by DFARS 252.204 plus 20 additional practices. It requires a total of 130 practices.
level 1 header image
CMM Level 4 & 5 focus on using enhanced security requirements that include practices from NIST 800-172. It is expected that only a small portion of the Defense Industrial Base (DIB) will be required to need these levels of certification.
CMM Levels 1-3 will be covered in this training content.

Data Protection

The CMM was developed as a standard to identify the security posture of an organization. For businesses performing government contracts, there are requirements for which level an organization must be certified to receive and keep their government contract.

For businesses that do not have government contracts, the CMM can be used as a vetted cybersecurity standard for protecting any type of information. (e.g. intellectual property, customer data, employee data. etc.).


The requirements for which level needs to be satisfied will depend upon what each program office sets for their own RFPs. The required level will be known prior to proposal submission.

The CMM Accreditation Board (CMM-AB) is organizing a marketplace where organizations seeking certification will be able to visit to find a CMMC Third-Party Assessor Organization (C3PAO). C3PAO's are accredited organizations that have been trained on how to properly conduct CMMC assessments. The AB will then review the findings and be responsible for providing the accreditation.