Back

CMMC Version 1.0 Announced

The Department of Defense has just released Version 1.0 of CMMC , the Cybersecurity Maturity Model Certification program. It will provide the basis for ensuring compliance under ...

6 min read
Published on Jan 31, 2020
CMMC Version 1.0 Announced

The Department of Defense has just released Version 1.0 of CMMC, the Cybersecurity Maturity Model Certification program. It will provide the basis for ensuring compliance under DFARS (Defense Federal Acquisition Regulation Supplement). It replaces the Version 0.7 draft, which was released in December 2019.

The basics of CMMC

Exactly what is CMMC? It’s a certification process for companies in the Defense Industrial Base (DIB). It’s a standardized way to measure a DIB company’s ability to protect federal contract information and controlled unclassified information (CUI). Five levels of certification are defined, based on the processes and practices which an organization carries out. Contractors doing work for the DoD must get the certification, and their subcontractors have to as well. The defining document is available online.

Accredited third parties will carry out the certification. For many years, the DoD has required its contractors to have an appropriate level of security, but verification has been informal up to now. In 2020, certification will become a requirement for all defense contracts. The higher the certification level a company has, the more contracts it will qualify for.

Cyberattacks are a constant issue, and international espionage is a fact of life. Systematic certification will better protect information which is important to national security. While the details of the certification process haven’t been disclosed yet, the CMMC document states the requirements. Companies can start getting ready for certification now.

CMMC domain structure

CMMC uses a domain-based model, building on the Federal Information Processing Standards (FIPS) and the NIST SP 800-71 controls. There are 17 domains in all. Each domain includes one or more capabilities, and each capability includes at least one practice. Every practice is associated with a certification level. Most of the practices reference one or more standards for clarification.

Domains cover not only cybersecurity but physical and personnel issues as well. Required practices include physical protection, accountability, and training are important, especially when qualifying for the higher levels.

A domain may not necessarily include practices at all five levels. To take a simple example, the Situational Awareness (SA) domain includes one capability, “Implement threat monitoring.” It contains one Level 3 practice and two Level 4 practices.

Most of the domains are more complex, with multiple capabilities containing required practices at all levels. The lower levels consist mostly of common-sense practices within the reach of most businesses. The highest levels require specialized personnel and around-the-clock readiness.

Relationship to security standards

CMMC didn’t develop its practices from scratch but rather brought together elements of well-established standards. They include:

  • 48 CFR 52.204-21: Basic safeguarding of covered contractor information systems
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
  • NIST SP 800-171: Protecting controlled unclassified information in nonfederal systems and organizations
  • United Kingdom Cyber Essentials
  • Australia Essential Eight

Certification levels

Each of the five levels defines a set of supporting practices and processes. The higher levels include all practices and processes for the levels below them. All contractors need at least a Level 1 certification. Compliance at a given level may apply only to the parts of a business that do sensitive work for the DoD. The levels have the following requirements in brief:

  • Level 1: All certified contractors need to carry out basic cybersecurity practices, as specified in 48 CFR 52.204-21. They have to meet physical protection requirements, including limited access, escorting of visitors, and audit logs. There are no process maturity requirements at this level; while security practices are necessary, the institutionalization of them isn’t mandatory.
  • Level 2: Intermediate level cybersecurity is required at this level. It includes a greater emphasis on accountability, incident response, and limitations on access. The organization needs to establish and document policy, practices, and a plan at the institutional level for each applicable domain.
  • Level 3: Organizations that have access to CUI or generate it need Level 3 certification. This level requires “good cyber hygiene,” meeting the requirements of NIST SP 800-171 Rev. 1. Processes need to have adequate resources supporting them, and activities need to be reviewed for adherence to policies.
  • Level 4: The cybersecurity program needs to be “substantial and proactive.” This level emphasizes the prevention and mitigation of advanced persistent threats (APTs), adapting to changing attack tactics. Activities need to be reviewed for effectiveness, and management has to be kept aware of issues that arise.
  • Level 5: The highest level requires an advanced cybersecurity program with the ability to optimize its capabilities. Process maturity needs to include standardization of activities and sharing of improvements across all units. Specialized personnel are necessary, including a security operation center and a cyber incident response team with 24/7 capabilities.

Implications for current contractors

The CMMC requirements apply not just to new contractors but to businesses working on existing contracts. Contractors will have six months after the publication of the requirements to obtain certification. Subcontractors also have to be certified.

A business should start with a self-assessment to determine where it falls short of its target level and fix whatever issues turn up. The more compliant a business is when it starts a certification audit, the smoother the process will be. Failure to get certified could result in the loss or suspension of existing contracts. New RFPs will be restricted to organizations that meet a specified certification level.

The process of obtaining certification is considered an allowable cost. Contractors will be able to recover the costs they put into improving their security and carrying out the certification process. For some companies, the best strategy will be to get a certification at a lower level quickly and then work on reaching a higher level.

Getting certified

Accredited third-party organizations will perform certifications. The process is likely to be complicated, especially for Levels 4 and 5, so a business needs to allow enough lead time and plan for a certain amount of disruption.

Agile IT has extensive experience in securing compliance with US government standards. As a Microsoft Partner, we assist in setting up Azure Government and Office 365 GCC High to be fully compliant with ITAR and with DFARS. Agile IT is one of only 8 AOS-G partners authorized to sell, migrate, and manage Microsoft’s GCC High environment to meet CMMC level 5. For more information, request a quote.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

A successful Azure migration starts with proper planning. Use this step-by-step assessment checklist to evaluate infrastructure, dependencies, and tools before migrating.

Jun 23, 2025
7 min read
Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Learn how to migrate on-premises VMs to Azure with expert tips and best practices. Optimize your cloud migration strategy for security, performance, and cost efficiency.

Jun 20, 2025
9 min read
Azure Migration vs AWS Migration Key Differences

Comparing Azure Migration and AWS Migration Key Differences in Cloud Strategy

Comparing Azure and AWS for cloud migration? Learn the key differences in pricing, security, tools, and performance to choose the right platform for your business.

Jun 18, 2025
8 min read
Benefits and Challenges of Azure Cloud Migration

Key Benefits and Challenges of Migrating to Microsoft Azure

Migrating to Microsoft Azure offers scalability and security, but it comes with challenges. Explore the key benefits and hurdles of Azure cloud migration.

Jun 17, 2025
10 min read
Who Needs to Comply with CMMC Regulations? - Agile IT

Who Needs to Follow DoD Cybersecurity Requirements for CMMC Compliance

CMMC regulations apply to defense contractors, subcontractors, and suppliers handling DoD information. Find out who must comply and what certification level is required.

Jun 17, 2025
6 min read
What’s the Real Cost of CMMC Compliance?

The Real Cost of CMMC: Catching Up on What You Were Already Supposed to Be Doing

CMMC isn’t introducing new rules, it’s enforcing what should already be in place. Learn what’s really driving the cost of CMMC compliance.

Jun 16, 2025
4 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation