As the US DoD rolls out the CMMC, a new cybersecurity certification program, we look at the different maturity levels and what you will need to consider for its implementation.

After questions were raised over the cybersecurity measures being employed by some defense contractors in the US defense industrial base (DIB), the US Department of Defense (DoD) has introduced Cybersecurity Maturity Model Certification (CMMC).

Contractors in the DIB have been mandated to adopt cybersecurity standards according to the National Institute of Standards and Technology (NIST) cybersecurity framework NIST SP 800-171. However, compliance was self-attested to, which led to many contractors failing to implement the necessary cybersecurity protocols.

CMMC was developed by the DoD to address this problem in a cost-effective manner. It updates existing regulations and ensures contractors have the relevant controls in place to protect sensitive data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

FCI is information that is either provided by or generated for the Government under contract. It is not intended for public release. CUI differs from FCI, in that it requires a higher level of protection due to its national security status. This is information that is either created or possessed by the Government, or which is created or possessed by a contractor on behalf of the Government. It is covered by either a law, regulation or Government policy that requires or permits an agency to handle it using safeguarding or dissemination controls.

CMMC Levels

CMMC considers the level of security in terms of maturity. There are five levels of maturity, which reflect the level at which cybersecurity processes are accomplished:

  1. Basic Cyber Hygiene – processes performed
  2. Intermediate Cyber Hygiene – processes documented
  3. Good Cyber Hygiene – processes managed
  4. Proactive – processes reviewed
  5. Advanced/Progressive – processes optimized


Level 1 Basic Cyber Hygiene – equivalent to all 17 practices in the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21. This focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21. The contractor may only be performing the specified practices on an ad-hoc basis, and therefore process maturity is not assessed.

Level 2 Intermediate Cyber Hygiene – covers 72 practices (FAR, 48 practices from NIST SP 800-171 r1, plus seven practices to support intermediate cyber hygiene). Level 2 serves as a progression from Level 1 towards Level 3. The organization must establish and document practices and policies to guide their CMMC efforts. This allows replication of practices and develops maturity.

Level 3 Good Cyber Hygiene – covers 130 practices (FAR, all practices in NIST SP 800-171 r1, plus 20 practices to support intermediate cyber hygiene). Level 3 focuses on the protection of CUI. The organization must plan and maintain each practice within its cybersecurity plan.

Level 4 Proactive – covers 156 practices (FAR, NIST SP 800-171 r1, 11 practices from Draft NIST SP 800-172, plus 15 practices to demonstrate a proactive cybersecurity program). Level 4 focuses on the protection of CUI with Advanced Persistent Threats (APTs). It requires the organization to measure and review practice efficacy, before undertaking corrective actions.

Level 5 Advanced/Progressive – covers 171 practices (FAR, NIST SP 800-171 r1, 4 practices from Draft NIST SP 800-172, plus eleven practices to demonstrate an advanced cybersecurity program). The highest CMMC level focuses on the protection of CUI from APTs(Advanced Persistent Threats). The result is cybersecurity capabilities with increased depth and sophistication.

Implementation of CMMC

CMMC is assessed by certified independent third-party organizations. The DIB contractor will coordinate directly with the independent certification organization to request and schedule the assessment. They can also specify which level of certification they wish to be assessed for, based on their business requirements. Contractors with higher maturity levels will be able to tender for contracts that require higher cybersecurity levels.

In keeping with the sensitive nature of the material being protected, it is expected that CMMC audits will be rigorous. As with all new mandated certification requirements it is also predicted that demand for certification services will be high during the initial cycle for CMMC. It is therefore important to ensure the process towards certification is begun at the earliest possible stage.

Things to consider:

  • What are the boundaries of the program? Physical locations, systems, data storage, stakeholders, etc. – part of the System Security Plan, a Level 2 practice, CA.2.157
  • What level should you be certified to? This will depend on the requirements and plans of your business
  • Gap analysis to assess your organization’s level of readiness. Identified gaps should then be addresses prior to the audit (may include physical changes, the implementation of new systems, training, etc.)
  • Are your existing systems NIST SP 800-171 compliant?


Finally, it is important to remember that CMMC does not supplant any contractual requirements to which an organization is currently engaged. CMMC is an additional requirement that is designed by the DoD to ensure contractors in the DIB are performing the necessary cybersecurity protocols to protect national security.

SGS Solutions

SGS offers pre-assessment services to help contractors receive Cybersecurity Maturity Model Certification (CMMC).

Learn more about SGS CMMC Services

Training for CMMC is coming soon as well.



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up