DoD releases Cybersecurity Maturity Model Certification (CMMC) Version 1.0
The U.S. Department of Defense published CMMC Version 1.0, setting five security maturity levels and third-party certification requirements for defense contractors.
Executive briefing: On , the Department of Defense released CMMC Version 1.0, formalizing a five-level cybersecurity maturity model that defense industrial base suppliers must satisfy through accredited third-party assessments. The framework maps practices and processes to NIST SP 800-171, Federal Contract Information protections, and advanced threat countermeasures.
Operator action: Compliance and security leaders supporting DoD contracts should inventory in-scope programs, map existing controls to CMMC level targets, and initiate readiness assessments against the Version 1.0 practices. Budget for independent C3PAO assessments, update supplier flow-down clauses, and align system security plans and POA&Ms to CMMC evidence requirements.
Sources: DoD's release package includes the full CMMC model and appendices defining practices, processes, and assessment expectations.