Back

CMMC Version 1.0 Announced

The Department of Defense has just released Version 1.0 of CMMC , the Cybersecurity Maturity Model Certification program. It will provide the basis for ensuring compliance under ...

6 min read
Published on Jan 31, 2020
CMMC Version 1.0 Announced

The Department of Defense has just released Version 1.0 of CMMC, the Cybersecurity Maturity Model Certification program. It will provide the basis for ensuring compliance under DFARS (Defense Federal Acquisition Regulation Supplement). It replaces the Version 0.7 draft, which was released in December 2019.

The basics of CMMC

Exactly what is CMMC? It’s a certification process for companies in the Defense Industrial Base (DIB). It’s a standardized way to measure a DIB company’s ability to protect federal contract information and controlled unclassified information (CUI). Five levels of certification are defined, based on the processes and practices which an organization carries out. Contractors doing work for the DoD must get the certification, and their subcontractors have to as well. The defining document is available online.

Accredited third parties will carry out the certification. For many years, the DoD has required its contractors to have an appropriate level of security, but verification has been informal up to now. In 2020, certification will become a requirement for all defense contracts. The higher the certification level a company has, the more contracts it will qualify for.

Cyberattacks are a constant issue, and international espionage is a fact of life. Systematic certification will better protect information which is important to national security. While the details of the certification process haven’t been disclosed yet, the CMMC document states the requirements. Companies can start getting ready for certification now.

CMMC domain structure

CMMC uses a domain-based model, building on the Federal Information Processing Standards (FIPS) and the NIST SP 800-71 controls. There are 17 domains in all. Each domain includes one or more capabilities, and each capability includes at least one practice. Every practice is associated with a certification level. Most of the practices reference one or more standards for clarification.

Domains cover not only cybersecurity but physical and personnel issues as well. Required practices include physical protection, accountability, and training are important, especially when qualifying for the higher levels.

A domain may not necessarily include practices at all five levels. To take a simple example, the Situational Awareness (SA) domain includes one capability, “Implement threat monitoring.” It contains one Level 3 practice and two Level 4 practices.

Most of the domains are more complex, with multiple capabilities containing required practices at all levels. The lower levels consist mostly of common-sense practices within the reach of most businesses. The highest levels require specialized personnel and around-the-clock readiness.

Relationship to security standards

CMMC didn’t develop its practices from scratch but rather brought together elements of well-established standards. They include:

  • 48 CFR 52.204-21: Basic safeguarding of covered contractor information systems
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
  • NIST SP 800-171: Protecting controlled unclassified information in nonfederal systems and organizations
  • United Kingdom Cyber Essentials
  • Australia Essential Eight

Certification levels

Each of the five levels defines a set of supporting practices and processes. The higher levels include all practices and processes for the levels below them. All contractors need at least a Level 1 certification. Compliance at a given level may apply only to the parts of a business that do sensitive work for the DoD. The levels have the following requirements in brief:

  • Level 1: All certified contractors need to carry out basic cybersecurity practices, as specified in 48 CFR 52.204-21. They have to meet physical protection requirements, including limited access, escorting of visitors, and audit logs. There are no process maturity requirements at this level; while security practices are necessary, the institutionalization of them isn’t mandatory.
  • Level 2: Intermediate level cybersecurity is required at this level. It includes a greater emphasis on accountability, incident response, and limitations on access. The organization needs to establish and document policy, practices, and a plan at the institutional level for each applicable domain.
  • Level 3: Organizations that have access to CUI or generate it need Level 3 certification. This level requires “good cyber hygiene,” meeting the requirements of NIST SP 800-171 Rev. 1. Processes need to have adequate resources supporting them, and activities need to be reviewed for adherence to policies.
  • Level 4: The cybersecurity program needs to be “substantial and proactive.” This level emphasizes the prevention and mitigation of advanced persistent threats (APTs), adapting to changing attack tactics. Activities need to be reviewed for effectiveness, and management has to be kept aware of issues that arise.
  • Level 5: The highest level requires an advanced cybersecurity program with the ability to optimize its capabilities. Process maturity needs to include standardization of activities and sharing of improvements across all units. Specialized personnel are necessary, including a security operation center and a cyber incident response team with 24/7 capabilities.

Implications for current contractors

The CMMC requirements apply not just to new contractors but to businesses working on existing contracts. Contractors will have six months after the publication of the requirements to obtain certification. Subcontractors also have to be certified.

A business should start with a self-assessment to determine where it falls short of its target level and fix whatever issues turn up. The more compliant a business is when it starts a certification audit, the smoother the process will be. Failure to get certified could result in the loss or suspension of existing contracts. New RFPs will be restricted to organizations that meet a specified certification level.

The process of obtaining certification is considered an allowable cost. Contractors will be able to recover the costs they put into improving their security and carrying out the certification process. For some companies, the best strategy will be to get a certification at a lower level quickly and then work on reaching a higher level.

Getting certified

Accredited third-party organizations will perform certifications. The process is likely to be complicated, especially for Levels 4 and 5, so a business needs to allow enough lead time and plan for a certain amount of disruption.

Agile IT has extensive experience in securing compliance with US government standards. As a Microsoft Partner, we assist in setting up Azure Government and Office 365 GCC High to be fully compliant with ITAR and with DFARS. Agile IT is one of only 8 AOS-G partners authorized to sell, migrate, and manage Microsoft’s GCC High environment to meet CMMC level 5. For more information, request a quote.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation