What Is the DoD’s New Cybersecurity Maturity Model Certification, and What Does It Mean for Defense Contractors?

Jim Masella, Director, FedRAMP & Assurance Services, Coalfire

Citing the threat of compromise of Controlled Unclassified Information (CUI) within the defense industrial base (DIB), along with the high cost of cyber breaches in general, the Office of the Assistant Secretary of Defense for Acquisition has initiated a program for rating the cybersecurity maturity of defense contractors. At the program’s core is a new Cybersecurity Maturity Model Certification (CMMC) based on a multi-level and multi-domain matrix of cybersecurity controls. 

A New Standard and a New Requirement

Encompassing existing standards and guidelines, the intent is to provide the Department of Defense (DoD) with a cybersecurity yardstick to inform their acquisition decisions via a consistent certification program—the CMMC. The CMMC program will go into effect in late 2020, and contractors should start seeing maturity level requirements in requests for proposal (RFPs) as early as next summer. 

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment website, all contractors seeking to perform work for the Department of Defense will be required to demonstrate compliance with CMMC v1.0 and receive an independent third-party assessment organization (3PAO) certification by the fall of 2020. While CMMC validation and certification will need to be conducted by 3PAOs, the door is open to allow some organic DoD assessors to be used to conduct higher-level assessments. Contractors will be responsible for engaging a 3PAO to obtain a certification at their desired maturity level. Self-attestations of controls implementation will not be allowed.

A preliminary feedback period on the draft version 0.4 of the CMMC model closed on September 25th. An updated draft, CMMC v0.6, will be open for public review in November 2019. CMMC v1.0 is due to be finalized and released in January 2020, and, by the end of 2020, CMMC certification will be in effect. It has not yet been decided how often, if at all, a contractor must re-certify their maturity level. The CMMC level requirement will be written into contract language; proposal teams can expect this to be spelled out in sections L and M of DoD RFPs beginning next summer.

This maturity model provides an assessment framework to evaluate companies based on their cybersecurity posture (or maturity) from basic cyber hygiene (Level 1) to “highly advanced cybersecurity practices” (Level 5). In order to arrive at Level 5, the model provides an assessment framework of capabilities that cover both processes and practices of the subject organization. Level 3 is currently considered the minimum level on the model that meets the security requirements of NIST SP 800-171 Rev. 1, which forms the compliance standard for National Archive and Records Administration’s (NARA) CUI program and is a baseline requirement in Defense Federal Acquisition Regulation Supplement (DFARS) 7012.

click to enlarge image

Most of the 18 domains are named the same as the security control families within the NIST SP 800-53 standard. Additional domains such as Cybersecurity Governance, Situational Awareness, and Recovery, however, reflect the multi-framework and multi-perspective nature of the model. Additional standards and models that the CMMC pulls from include:

  • CERT Resilience Management Model (CERT-RMM)
  • Defense Industrial Base Sector Coordinating Council (DIB SCC)
  • ISO 27001: 2013 Standard
  • Center for Internet Security’s Critical Security Controls 7.1
  • Aerospace Industries Association’s NAS9933 National Aerospace Standard
  • NIST Cybersecurity Framework
  • NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations
  • NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

3PAO Support

Because CMMC will eliminate contractors’ ability to self-attest as they were able to do in their implementation of NIST 800-171 security controls to protect CUI, they will need to reach out to 3PAOs for assistance. Much as 3PAOs provide assessment, advisory, and engineering support to cloud service providers in FedRAMP, they likely will play a similar role in the implementation of CMMC.


When compared to the adoption of some other compliance frameworks, CMMC is coming quickly! This rigorous maturity model will cover 18 domains from Situational Awareness to Maintenance, System, and Communications Protection. Experienced and highly reputable cybersecurity firms and 3PAOs, like Coalfire, are uniquely positioned to provide assessment and advisory services to help contractors meet their DoD cybersecurity maturity level needs. Please contact Coalfire at 3PAO@coalfire.com if you have additional questions about CMMC.

Ruchi Gupta, Senior Consultant, FedRAMP & Assurance Services, also contributed to this blog.

1 https://www.acq.osd.mil/cmmc/faq.html

Jim Masella


Jim Masella — Director, FedRAMP & Assurance Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS