Cybersecurity Maturity Model Certification

Connect with us

The Department of Defense (DoD) is developing the Cybersecurity Maturity Model Certification (CMMC), a new framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. Although CMMC is in the development phase, all organizations that provide services to the DoD will need to be certified as early as June 2020 in order to bid on DoD solicitations.


The CMMC outlines five compliance maturity levels that range from Level 1 Basic Cybersecurity Hygiene to Level 5 Advanced Cybersecurity Practices. Each of the five levels outlines controls and processes that, when properly implemented, will reduce the risk of hostile agents breaching a company’s cybersecurity defenses. Based on guidance as of early December 2019, the levels are described as follows:

  Description of Practices Description of Processes
Level 1
  • Basic cybersecurity
  • Achievable for small companies
  • Subset of universally accepted common practices
  • Limited resistance against data exfiltration
  • Limited resilience against malicious actions
Practices are performed, at least in an ad hoc manner
Level 2
  • Inclusive of universally accepted cybersecurity best practices
  • Resilient against unskilled threat actors
  • Minor resistance against data exfiltration
  • Minor resistance against malicious actions
Practices are documented
Level 3
  • Coverage of all NIST SP 800-171 Rev 1 controls
  • Additional practices beyond the scope of Controlled Unclassified Information (CUI) protection
  • Resilient against moderately skilled threat actors
  • Moderate resistance against data exfiltration
  • Moderate resilience against malicious actions
  • Comprehensive knowledge of cyber assets
Practices are maintained and followed
Level 4
  • Advanced and sophisticated cybersecurity practices
  • Resilient against advanced threat actors
  • Defensive responses approach machine speed
  • Increased resistance against and detection of data exfiltration
  • Complete and continuous knowledge of cyber assets
Processes are periodically reviewed, properly resourced, and improved across the enterprise
Level 5
  • Highly advanced cybersecurity practices
  • Reserved for the most critical systems
  • Resilient against the most advance threat actors
  • Defensive responses performed at machine speed
  • Machine-performed analytics and defensive actions
  • Resistant against, and detection of, data exfiltration
  • Autonomous knowledge of cyber assets
Continuous improvement across the enterprise

The certification level for each organization will need to be validated by a CMMC Third-Party Assessment Organization (C3PAO) that will be authorized and trained to do the work by an Accreditation Body.

Coalfire’s full spectrum of CMMC services will include:

Analysis: Are you wondering if CMMC applies to your organization? Have you received a compliance request from the DoD or your prime contract holder? Coalfire can help you navigate the requirements and/or interpret this request and its associated impacts.

Advisory: Coalfire’s team of experts, acting as an objective third party, can perform a gap analysis on your environment /organization to help devise a roadmap to a desired CMMC maturity level.

Remediation: Coalfire provides support in such areas as engineering, operations, and document/policy development to meet or exceed a desired CMMC maturity level.

Attestation: Coalfire will support organizations that are ready for final assessment and certification (Q1 2020).

Why choose Coalfire?

For nearly 20 years, Coalfire has been providing commercial and public sector organizations, including the DoD, with industry-leading cybersecurity and compliance advisory services. As one of the industry’s largest and most experienced risk management and compliance assessment organizations, Coalfire can provide the expertise and support to guide you successfully through the CMMC certification process.