DoD releases Cybersecurity Maturity Model Certification (CMMC) Version 1.0

On 31 January 2020, the U.S. Department of Defense released Cybersecurity Maturity Model Certification (CMMC) Version 1.0, establishing a full five-level cybersecurity maturity framework that defense industrial base suppliers must satisfy through accredited third-party assessments. The framework represents DoD's response to persistent advanced threats against contractor networks and the inadequacy of self-attestation approaches under existing DFARS 252.204-7012 requirements. CMMC maps security practices and processes to NIST SP 800-171, Federal Contract Information protections, and advanced threat countermeasures, creating a unified and enforceable standard for defense supply chain cybersecurity.

Strategic Context and Framework Purpose

CMMC emerged from DoD's recognition that contractor self-attestation to NIST SP 800-171 requirements had failed to achieve adequate cybersecurity across the defense industrial base. Widespread exploitation of contractor networks by nation-state adversaries, including the compromise of controlled technical information related to major weapons programs, showed that voluntary compliance approaches were insufficient. CMMC shifts from trust-based self-reporting to verification-based third-party assessment.

The framework addresses the full spectrum of threats facing defense contractors, from opportunistic cybercriminals targeting basic vulnerabilities to sophisticated nation-state actors conducting advanced persistent threat campaigns. By establishing progressive maturity levels, CMMC enables proportionate security requirements based on the sensitivity of information handled and the criticality of contractor functions to national defense.

DoD's approach creates market incentives for cybersecurity investment by making certification a prerequisite for contract award. Contractors must achieve required certification levels before receiving awards involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This linkage transforms cybersecurity from a compliance checkbox to a competitive differentiator affecting contract eligibility.

Five Maturity Levels Explained

CMMC Version 1.0 establishes five maturity levels representing progressive cybersecurity capability and process institutionalization. Each level builds upon lower levels, requiring organizations to maintain all practices from previous levels while implementing additional controls appropriate to the higher maturity tier.

Level 1 (Basic Cyber Hygiene): Addresses fundamental safeguarding of Federal Contract Information with 17 practices aligned to FAR 52.204-21 requirements. Level 1 represents the minimum acceptable baseline for any contractor handling FCI and focuses on basic access control, identification, media protection, and system integrity practices. Process maturity expectations are minimal at this level.

Level 2 (Intermediate Cyber Hygiene): Introduces 55 additional practices transitioning toward CUI protection. Level 2 serves as a stepping stone toward full NIST SP 800-171 compliance, with practices documented and performed consistently. Organizations at this level show emerging security program maturity.

Level 3 (Good Cyber Hygiene): Aligns with complete NIST SP 800-171 Rev. 1 requirements plus 20 additional DoD-defined practices, totaling 130 practices. Level 3 is expected for most contractors handling CUI and requires established, documented policies and procedures that are actively managed. This level represents the primary target for the majority of defense contractors.

Level 4 (preventive): Adds 26 practices focused on protecting CUI from advanced persistent threats through improved detection and response capabilities. Level 4 organizations show preventive review and measurement of security practices, threat hunting capabilities, and ability to adapt to evolving tactics, techniques, and procedures.

Level 5 (Advanced/Progressive): Incorporates 15 additional advanced practices optimizing cybersecurity programs for sophisticated threat environments. Level 5 organizations show standardized and improved processes across the enterprise with continuous improvement mechanisms responding to advanced threat intelligence.

Third-Party Assessment Requirements

Unlike prior self-attestation approaches, CMMC mandates independent assessment by Certified Third-Party Assessment Organizations (C3PAOs) accredited by the CMMC Accreditation Body (now Cyber AB). Assessment organizations must meet rigorous quality and independence requirements, with assessors completing specified training and certification before conducting evaluations.

Assessments evaluate objective evidence of practice setup and process maturity against level-specific requirements. Assessors review documentation, observe processes, interview personnel, and examine technical configurations to verify that claimed practices are actually implemented and operating effectively. Assessment methodologies ensure consistent evaluation across the C3PAO ecosystem.

Assessment results feed into central databases enabling contracting officers to verify contractor certification status during source selection. The Supplier Performance Risk System (SPRS) serves as the authoritative record of contractor cybersecurity assessments, with results influencing contract award decisions. Organizations must maintain valid certifications throughout contract performance.

If you are affected, budget for assessment costs, which vary significantly based on scope complexity and maturity level. Level 3 assessments for organizations with multiple CUI-handling systems may require significant assessor time. Assessment timelines must align with contract award schedules to avoid bid disqualification due to pending certification.

Implementation Planning Approach

Compliance and security leaders supporting DoD contracts should begin with full inventory of in-scope programs and systems. Identify all contracts and potential opportunities involving FCI or CUI, determining required CMMC levels for each. Map existing controls to CMMC practice requirements, documenting gaps between current state and target certification levels.

System Security Plans must be updated to reflect CMMC evidence requirements and assessment methodology expectations. Documentation should show not only that controls are implemented but that processes are institutionalized through policies, procedures, training, and performance measurement. Evidence collection should begin immediately to support eventual assessment.

Remediation planning should focus on gaps based on contract timelines and risk severity. Critical gaps affecting Level 3 certification should receive immediate attention given the prevalence of CUI-handling requirements across the defense industrial base. If you are affected, establish realistic remediation timelines accounting for technology deployment, process development, and personnel training requirements.

If you are affected, engage early with the CMMC ecosystem, including the Cyber AB and prospective C3PAOs. Understanding assessment processes, evidence expectations, and scheduling constraints enables better preparation and avoids last-minute complications. Consider conducting readiness assessments or mock evaluations to identify issues before formal certification attempts.

Supply Chain Implications

Prime contractors must flow down CMMC requirements to subcontractors handling FCI or CUI, creating supply chain-wide certification obligations. The certification requirement applies at each tier where protected information is transmitted, processed, or stored. Prime contractors bear responsibility for ensuring subcontractor compliance with applicable CMMC levels.

Supply chain risk management strategies must incorporate CMMC readiness assessment for critical suppliers. If you are affected, update supplier qualification procedures to include CMMC certification status verification and establish monitoring processes for ongoing compliance. Early identification of suppliers unlikely to achieve required certifications enables alternative sourcing before program disruption.

Small and medium suppliers throughout the defense industrial base face particular challenges achieving certification. Limited resources, competing priorities, and unfamiliarity with federal cybersecurity requirements create barriers to compliance. Prime contractors may need to provide mentorship, share resources, or adjust supply chain strategies to address these challenges.

Managed service providers supporting defense contractors must clarify shared responsibility models and show that their services enable rather than impede client certification. Cloud service providers require FedRAMP authorization or equivalent security posture, with contractual provisions addressing CMMC-specific requirements.

More on this topic

Further reading from our research library.

Governance · Credibility 91/100 · January 31, 2020

DoD releases CMMC Version 1.0 for defense contractors

The DoD just released CMMC 1.0—five certification levels ranging from basic cyber hygiene to advanced practices. If you want to work on defense contracts, you'll eventually need a certified third-party assessment. This…

Governance · Credibility 91/100 · September 29, 2020

DoD issues DFARS interim rule to roll out CMMC assessments

The Department of Defense published an interim DFARS rule establishing the Cybersecurity Maturity Model Certification (CMMC) assessment requirement and a NIST SP 800-171 DoD Assessment methodology for defense contractors…

Governance · Credibility 71/100 · May 10, 2023

NIST releases SP 800-171 Revision 3 draft

NIST SP 800-171 Rev 3 draft in May 2023 proposed CUI protection updates. Alignment with 800-53 Rev 5 and new supply chain controls. Federal contractors prepared for the final rule.

Governance · Credibility 96/100 · July 27, 2023

APRA CPS 230 operational risk management

APRA's CPS 230 operational risk standard went effective July 1, 2025 for Australian ADIs, insurers, and super funds. It is a big upgrade from CPS 231 and 232, with stricter requirements for operational resilience…

Governance · Credibility 90/100 · October 20, 2023

Brazil ESG regulation

Brazil’s CVM Guidance Opinion 41/2023 compels ESG rating providers and listed companies to institute independent oversight, setup roadmaps, and LGPD-aligned DSAR protocols covering scoring data, methodologies, and…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

January 31, 2020

Coverage pillar

Governance

Source credibility

73/100 — medium confidence

Topics

CMMC · defense industrial base · third-party risk

Sources cited

3 sources (dodcio.defense.gov, defense.gov, iso.org)

Reading time

6 min

Source material

1. Cybersecurity Maturity Model Certification (CMMC) Model v1.0 — U.S. Department of Defense
2. DoD releases CMMC Version 1.0 — U.S. Department of Defense
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization