Certification of the Cyber Security maturity model has been included to be added to the major DoD contracts in 2020 as a uniform standard for “go / don’t go” decisions at the time of award. It requires that supply chain organizations from the Ministry of Defense undergo a CMMC audit by an official CMMC auditor. Basic hygiene is a series of precautions used to keep confidential data safe and protected from cyber attacks and theft. Certification of the maturity model for cybersecurity is naturally based on DFARS cybersecurity requirements when adding the certificate. CMMC Level 2 focuses on intermediate cyber hygiene, enabling organizations to create an adult-based advancement to move from Level 1 to Level 3.

However, the definition of each level and the path to the desired level of CMMC may not be clear. Because the organization can only implement these practices on an ad hoc basis, the process is not evaluated at this level. Documentation, unless directly specified in practice, is not required in ML 1. In addition to establishing the DIB supply chain, which will facilitate rigorous measurement of cybersecurity capabilities, the CMMC framework allows the Ministry of Defense to make informed risk decisions regarding the information it shares with DIB contractors. All this information will help build legitimate expectations in DIB partners

Levels 4 and 5 aim to increase CUI protection and reduce the risk of advanced persistent threats from advanced opponents. Requirements at this level are rigorous (information on event management and security, business continuity / disaster recovery plan and procedures), but are not inaccessible to small and medium businesses. The challenge is that it is necessary to meet the standard 100% to obtain certification. Organizations that do not fully meet this standard do not receive contracts where they can handle CUI Most small and medium-sized companies in the industrial defense base will seek certification in CMMC Level 3. This is the minimum level of certification required for all organizations working with CUI

It includes all security requirements specified in NIST SP 800 € 171, as well as additional practices of other standards and references. In addition, there are five maturity processes for each capacity domain, maturity level 1 to maturity level 5 . To achieve a certain CMMC level, an organization must demonstrate both technical practices and maturity processes defined at that level, as well as those of the previous lower levels.

Contractors must obtain certification before they can win future government contracts. CMMC 1.0 contrasts DFARS 7012 by forcing the requirement before granting or “refundable time”. Contractors will be evaluated based on the implementation of real technical controls in addition to their documentation and policies. These evaluations lead to a level certification of 1 to 5, with 5 being the safest.

CMMC practices are what most information security standards call “controls.”. Examples include verifying multiple factors, CUI end-to-end encryption, CMMC Compliance implementing the alert registry (more often through an incident and security event management solution) spam protection and sandboxing, and so on.