Cybersecurity Maturity Model Certification

Learn everything you need to know about the new Department of Defense Cybersecurity Maturity Model Certification (CMMC) framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies in the Defense Industrial Base supply chain.

Cyber-AB Licensed Training Provider and Licensed Partner Publisher

Infosec is both a Licensed Training Provider (LTP) and a Licensed Partner Publisher (LPP) for the Cybersecurity Maturity Model Certification Accreditation Body (Cyber-AB), an independent accreditation entity created in January 2020 that’s responsible for establishing, managing, controlling and administering the CMMC assessment, certification, training and accreditation processes for the defense supply chain.

Popular resources

Cyber Work Podcast

Join us in the fight against cybercrime with weekly conversations about cybersecurity skills, jobs and industry trends.

Frequently asked questions

For CMMC Professionals and Assessors

View the CMMC career path

What is the Cybersecurity Maturity Model Certification (CMMC) framework?

Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) and other federal stakeholders, the Cybersecurity Maturity Model Certification (CMMC) assesses and enhances the cybersecurity posture of the Defense Industrial Base (DIB).

The CMMC 2.0 Model covers three compliance levels, Level 1 “Foundational’’, Level 2 “Advanced” and Level 3 “Expert”. Certified CMMC Professional (CCP) is a gateway to becoming a Certified CMMC Assessor (CCA) certification, but it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC 2.0 support and guidance.

When does CMMC go into effect?

The initial version of the CMMC framework was released in January 2020, and the first 72 candidates for the Provisional Assessor program were selected by the CMMC Accreditation Body (CMMC-AB) in August 2020. Official Certified CMMC Professional (CCP) and Certified CMMC Assessor Level 1 (CCA-1) training from CMMC-AB License Training Partners (LTPs) is expected to be available in July 2021.

Additionally, 10 DoD contracts are expected to be chosen as “pathfinder programs” to help assess the success of initial CMMC rollout. A phased rollout will continue until all DoD contracts require CMMC certification by 2025.

What are Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA)?

To become a Certified CMMC Assessor (CCA), you must first become a Certified CMMC Professional (CCP). The CCP serves as a gateway for assessors, but it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC support and guidance. The CMMC-AB career path contains four levels:

  • Certified CMMC 2.0 Professional (CCP)
  • Certified CMMC 2.0 Assessor Level 1 (CCA-1)
  • Certified CMMC 2.0 Assessor Level 2 (CCA-2)
  • Certified CMMC 2.0 Assessor Level 3 (CCA-3)

Certified CMMC 2.0 Assessors can only conduct organizational assessments up to their maturity level.

What are organizations seeking certification (OSC)?

CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored.

CMMC-AB estimates the certification process will take at least six months for organizations to get certified.

What are the CMMC requirements?

Although the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 rev1. Additional practices and processes are drawn from other standards, references and sources, such as:

  • NIST SP 800-53
  • Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
  • Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2

CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.

What are the CMMC 2.0 maturity levels?

The CMMC model has three increasingly progressive levels for measuring cybersecurity maturity. CMMC 2.0 eliminates all maturity processes and all CMMC unique security practices. In this boot camp, you’ll learn what goes into each of the following levels:

  • CMMC 2.0 Level 1 (Foundational) Annual Self Assessment
    • 17 Practices
    • Same as previous level 1
  • CMMC 2.0 Level 2 (Advanced)
    • 110 Practices
    • Based on NIST SP 800-171
    • Triennial 3rd party assessments for critical national security information
    • Previous Level 3
  • CMMC 2.0 Level 3 (Expert)
    • 10+ Practices
    • Based on a subset of NIST SP 800-172
    • Previous Level 5