Cybersecurity Maturity Model Certification and Small Contractors

The United States Department of Defense’s (DoD) supply chain, which includes over 300,000 companies, is critical to both national security as well as the protection of all individuals throughout the USA. It is because of this that the DoD is now doing everything in their power to protect this supply chain from all outside adversaries. This has led to the creation of the Cybersecurity Maturity Model Certification (CMMC) framework. 

What is CMMC?

The CMMC framework was built upon existing regulations stated in DFARS 252.204-7012. Now, instead of being built on trust there is now a certification aspect in order to make sure that companies comply with the standards. The CMMC framework is comprised of 5 different levels. Depending on the role of a company in relation to the government, they will be required to be certified to level 1, 3 or 5.

Level 1 is complied of 17 different controls that address basic cyber hygiene practices. It encompasses practices such as regular password changes in order to ensure that Federal Contract Information (FCI) is protected.

Level 3 is the most common required certification for most companies. The level 3 certification is made up of 130 controls that fall under 15 different cyber security categories. These controls are set up to protect how controlled unclassified information (CUI) when it is in both the digital and physical form. The 15 CMMC categories for level 3 are:Access Control (AC)

  1. Access Control (AC)
  2. Asset Management (AM)
  3. Audit & Accountability (AU)
  4. Configuration Management (CM)
  5. Identification & Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Personnel Security (PS)
  9. Physical Security (PE)
  10. Recovery (RE)
  11. Risk Management (RM)
  12. Security Assessment (CA)
  13. Situational Awareness (SA)
  14. System & Communications Protection (SC)
  15. System and Information Integrity (SI)

Levels 4 and 5 are for the companies who work closely with the government such as Boeing, Lockheed Martin, and other large defense contractors. These levels ensure that companies have processes for reviewing and measuring the practices that have been previously established as well as other practices to detect and respond to advanced persistent threats (APTs).


The reason for this framework being put in place is due to the data leak potential that comes from companies at the bottom of the DoD’s supply chain. Adversaries such as Russia and China have always had a difficult time stealing information from the large government prime contractors which has led them to target the smaller companies who may be two or three steps below the prime contractor. These companies do not have full details of the projects that they are working on but they have enough information within them that makes it beneficial to attack these companies.

CMMC will soon be a minimum requirement in order to be eligible to bid on DoD contract awards. CMMC is more than just a certificate to post on your wall, it is a culture that is built in an organization until it becomes second nature. CMMC is about creating a culture that will be able to protect all information within your organization in order to protect the DoD and all individuals living within the United States.

Scroll to Top