Cybersecurity Maturity Model Certification
Learn everything you need to know about the new Department of Defense Cybersecurity Maturity Model Certification (CMMC) framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies in the Defense Industrial Base supply chain.
CMMC-AB Licensed Training Provider and Licensed Partner Publisher
Infosec is both a Licensed Training Provider (LTP) and a Licensed Partner Publisher (LPP) for the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), an independent accreditation entity created in January 2020 that’s responsible for establishing, managing, controlling and administering the CMMC assessment, certification, training and accreditation processes for the defense supply chain.
Stay tuned for more updates as we develop courseware and training for the new CMMC certifications.
Get all your CMMC questions answered
Want to learn more about the Cybersecurity Maturity Model Certification? Download our guide to learn:
- How to become a Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA)
- How to get your organization certified
- The five CMMC maturity levels
- Timelines for CMMC training and adoption
CMMC training resources
Certified CMMC Professional Boot Camp (pending CMMC-AB approval)
The Certified CMMC Professional (CCP) is the first step to becoming an assessor. It certifies you as a valuable resource for consulting agencies and organizations seeking CMMC guidance.
Certified CMMC Assessor Boot Camps (pending CMMC-AB approval)
Take your career to the next level by becoming one of the first Certified CMMC Assessors (CCA). The CMMC career path contains three levels of assessors based on the different maturity levels.
CMMC resource hub
Check out our resource hub to learn more about the different CMMC levels, processes, practices and more.
Frequently asked questions
What is the Cybersecurity Maturity Model Certification (CMMC) framework?
The Department of Defense (DoD) supply chain and the Defense Industrial Base (DIB) it supports are continuously under threat by malicious actors. The theft of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) doesn’t just stifle innovation and undercut U.S. technical advantages, it significantly increases the risk to national security.
To reduce this risk, the DoD released the CMMC framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies that contribute towards the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
When does CMMC go into effect?
The initial version of the CMMC framework was released in January 2020, and the first 72 candidates for the Provisional Assessor program were selected by the CMMC Accreditation Body (CMMC-AB) in August 2020. Official Certified CMMC Professional (CCP) and Certified CMMC Assessor Level 1 (CCA-1) training from CMMC-AB License Training Partners (LTPs) is expected to be available in July 2021.
Additionally, 10 DoD contracts are expected to be chosen as “pathfinder programs” to help assess the success of initial CMMC rollout. A phased rollout will continue until all DoD contracts require CMMC certification by 2025.
What are Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA)?
To become a Certified CMMC Assessor (CCA), you must first become a Certified CMMC Professional (CCP). The CCP serves as a gateway for assessors, but it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC support and guidance. The CMMC-AB career path contains four levels:
– Certified CMMC Professional (CCP)
– Certified CMMC Assessor Level 1 (CCA-1)
– Certified CMMC Assessor Level 3 (CCA-3)
– Certified CMMC Assessor Level 5 (CCA-5)
Certified CMMC Assessors can only conduct organizational assessments up to their maturity level.
What are organizations seeking certification (OSC)?
CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored.
CMMC-AB estimates the certification process will take at least six months for organizations to get certified.
What are the CMMC requirements?
Although the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 rev1. Additional practices and processes are drawn from other standards, references and sources, such as:
– NIST SP 800-53
– Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
– Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.
What are the 5 CMMC maturity levels?
The CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around:
– Level 1: Safeguarding Federal Contract Information (FCI)
– Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI)
– Level 3: Protecting CUI
– Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs)
Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2. CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5 processes and 171 practices included in the framework.
What are the process and practice requirements for CMMC Level 1?
Processes: Performed (0)
Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic cyber hygiene (17)
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).
Download our CMMC ebook for the full list of requirements: https://www.infosecinstitute.com/form/cmmc-ebook/
What are the process and practice requirements for CMMC Level 2?
Processes: Documented (2)
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Practices: Intermediate cyber hygiene (55)
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of practices reference the protection of CUI.
What are the process and practice requirements for CMMC Level 3?
Processes: Managed (1)
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training and involvement of relevant stakeholders.
Practices: Good cyber hygiene (58)
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
What are the process and practice requirements for CMMC Level 4?
Processes: Reviewed (1)
Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis
Practices: Proactive (26)
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.
What are the process and practice requirements for CMMC Level 5?
Processes: Optimizing (1)
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced / progressive (15)
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.