Cybersecurity Maturity Model Certification

Connect with us

The Department of Defense (DoD) has released the Cybersecurity Maturity Model Certification (CMMC) Version 1.0, a new framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. CMMC is an evolution of DFARS 252.204-7012 (NIST SP 800-171) and now requires third-party attestation.

Although CMMC Version 1.0 has just been released (January 2020), all organizations that provide services to the DoD will eventually need to be CMMC certified in order to bid on future DoD solicitations. The first solicitations with a required CMMC maturity level are expected to be released as early as June 2020.

Maturity Level Overview

The CMMC outlines five compliance maturity levels that range from Basic Cybersecurity Hygiene (Level 1) to Advanced Cybersecurity Practices (Level 5). Each of the five levels outline practices and processes that, when properly implemented, will reduce the risk of hostile agents breaching a company’s cybersecurity defenses. Based on CMMC Version 1.0 released in January 2020, the maturity levels are described as follows:

  Description of Practices Description of Processes
Maturity Level 1
  • Basic cybersecurity
  • Achievable for small companies
  • Subset of universally accepted common practices
  • Limited resistance against data exfiltration
  • Limited resilience against malicious actions
  • Practices are performed, at least in an ad hoc manner
Maturity Level 2
  • Inclusive of universally accepted cybersecurity best practices
  • Resilient against unskilled threat actors
  • Minor resistance against data exfiltration
  • Minor resistance against malicious actions
  • Practices are documented
Maturity Level 3
  • Coverage of all NIST SP 800-171 Rev 1 controls
  • Additional practices beyond the scope of Controlled Unclassified Information (CUI) protection
  • Resilient against moderately skilled threat actors
  • Moderate resistance against data exfiltration
  • Moderate resilience against malicious actions
  • Comprehensive knowledge of cyber assets
  • Practices are maintained and followed
Maturity Level 4
  • Advanced and sophisticated cybersecurity practices
  • Resilient against advanced threat actors
  • Defensive responses approach machine speed
  • Increased resistance against and detection of data exfiltration
  • Complete and continuous knowledge of cyber assets
  • Processes are periodically reviewed, properly resourced, and improved across the enterprise
Maturity Level 5
  • Highly advanced cybersecurity practices
  • Reserved for the most critical systems
  • Resilient against the most advance threat actors
  • Defensive responses performed at machine speed
  • Machine-performed analytics and defensive actions
  • Resistant against, and detection of, data exfiltration
  • Autonomous knowledge of cyber assets
  • Continuous improvement across the enterprise


Maturity Level Certification Considerations

Every organization that plans on renewing a current contract or bidding on a new contract in the future will need to be certified at one of the 5 maturity levels outlined above. The DoD will determine which maturity level is required to bid on each solicitation; therefore, organizations will need to determine which maturity level is needed based on the nature of the contracts and work they would like to pursue.

The maturity level for each organization will need to be validated by a CMMC Third-Party Assessment Organization (C3PAO) that will be authorized and trained to perform the work by the CMMC Accreditation Body (CMMC-AB). Organizations will only be able to bid on contracts with a required maturity level equal to or less than their certified maturity level.

Coalfire’s full spectrum of CMMC services include:

Advisory: Are you unsure whether CMMC applies to your organization? Have you received a compliance request from the DoD or your prime contract holder? Are you wondering how your current NIST 800-171 or DFARS 252.204-7012 capabilities transfer to the CMMC practices and processes? Coalfire’s team of experts, acting as an objective third party, can help you navigate these questions and help you interpret the impact of CMMC to your environment. We can also perform a gap analysis on your environment/organization to help devise a roadmap to your desired CMMC maturity level.

Remediation: Coalfire offers a suite of remediation services dedicated to helping you meet or exceed your desired CMMC maturity level. These services include security document development initiatives, resolving threat and vulnerability assessment findings, cloud engineering, and technology implementation services.

Attestation: CMMC assessment services are expected to become available in the second quarter of 2020. Once certified as a C3PAO, Coalfire will support organizations that are ready for final assessment and certification.

Why choose Coalfire?

For nearly 20 years, Coalfire has been providing commercial and public sector organizations, including the DoD, with industry-leading cybersecurity and compliance advisory services. As one of the industry’s largest and most experienced risk management and compliance assessment organizations, Coalfire can provide the expertise and support to guide you successfully through the CMMC certification process.