What is a maturity model in cybersecurity?
Cybersecurity Maturity Model Certification (CMMC) is a specific cybersecurity maturity model from the United States Department of Defense (DoD), ensures that defense industrial base (DIB) contractors meet mandatory cybersecurity requirements when handling controlled unclassified information (CUI).
Although the DoD has long provided cybersecurity guidelines to contractors, it only established the CMMC in 2020. Now, every contractor must earn this certification to be eligible to develop and supply products and services to the DoD. The CMMC requires all DoD contractors to undergo a third-party cybersecurity assessment.
The CMMC Assessors and Instructors Certification Organization and Certified Third-Party Assessor Organizations (C3PAOs)—firms that the CMMC Accreditation Body has trained and certified—assess every contractor.
The need for CMMC in the defense supply chain
Traditionally, defense contractors relied on self-attestation to meet NIST SP 800-171 standards. However, this approach revealed significant gaps in compliance, which prompted the DoD to introduce CMMC as a more rigorous and accountable framework.
CMMC—which helps teams better assess, monitor, and secure the defense supply chain—covers roughly 350,000 firms in the DIB. Initially, the CMMC program offered five certification levels, which the DoD condensed into three levels under CMMC 2.0 (when it renewed the CMMC program, it eliminated Levels 2 and 4 to streamline compliance). Despite this, CMMC has not lost its rigorous standards.
In CMMC 2.0, a contract’s level of data sensitivity determines the required certification level. This differs from general frameworks like NIST CSF, which use tiers to assess an organization’s overall risk management practices.
CMMC’s different maturity levels
Below are CMMC 2.0’s current maturity levels and their requirements:
Level 1: Foundational
The most basic maturity level requires you to practice minimum cybersecurity measures, such as patch updates and password management. It covers 17 controls from 48 CFR 52.204-21 standards.
Level 1 certification aims to reduce risk for companies that manage data. Organizations don’t need documentation to implement these foundational security requirements. Instead, they can self-assess their readiness for Level 1 compliance. DIB contractors who handle federal contract information (FCI), which isn’t critical, must attain Level 1 certification.
Level 2: Advanced
CMMC 2.0 Level 2 certification is necessary for companies that handle CUI. Level 2 focuses on implementing intermediate cyber hygiene practices by adhering to the 14 domains and 110 security controls in NIST SP 800-171.
While these controls aim to protect sensitive unclassified information from unauthorized access, their primary purpose is to ensure compliance with NIST SP 800-171 requirements rather than directly addressing national security concerns.
In addition to the outlined practices in Level 1, Level 2 stipulates that organizations must document their security processes and guidelines. As a result, contractors must undergo an assessment process by C3PAOs every three years. Since they manage information critical for national security, these organizations must also conduct annual self-assessments.
Level 3: Expert
As the highest level of CMMC, Level 3 involves stringent security policies based on NIST SP 800-171 and a subset of 24 additional controls from NIST SP 800-172. This level requires implementing all 110 NIST SP 800-171 controls alongside enhanced security measures to address sophisticated threats, including advanced persistent threats (APTs).
At this maturity level, organizations focus on proactive cybersecurity measures like advanced monitoring, testing, automation, and threat hunting to detect and neutralize APTs. These measures also ensure continuous improvement and robust defense against evolving cyber threats.
Core aspects of CMMC compliance
The DoD introduced CMMC to cover three key objectives:
Safeguarding sensitive information that could challenge national security
Setting a cybersecurity standard for companies that secure defense contracts
Holding defense contractors accountable for securing government data
The CMMC framework comprises three key aspects to achieve these objectives: domains, practices, and capabilities. Let’s briefly discuss each:
Domains: The DoD groups CMMC’s 14 cyber domains, or sets of security practices, by their attributes. Below are the types of domains under CMMC 2.0:
| Number | Cyber domain |
|---|---|
| 1 | Access Control |
| 2 | Asset Management |
| 3 | Audit and Accountability |
| 4 | Awareness and Training |
| 5 | Configuration Management |
| 6 | Identification and Authentication |
| 7 | Incident Response |
| 8 | Maintenance |
| 9 | Media Protection |
| 10 | Personnel Security |
| 11 | Physical Protection |
| 12 | Recovery |
| 13 | Risk Management |
| 14 | Security Assessment |
| 15 | Situational Awareness |
| 16 | System and Communications Protection |
| 17 | System and Information Integrity |
Practices: Contractors must implement 110 practices across 14 security domains to safeguard information.
Capabilities: Organizations must employ these best practices, processes, and tactics for robust security. (The DoD removed some capabilities from CMMC 2.0 that CMMC 1.0 explicitly mentioned.)
Who needs to comply with CMMC?
The DoD has mandated that every defense contractor must achieve CMMC certification by 2026. While commercial-off-the-shelf vendors are generally exempt from certification requirements, exceptions may apply if their products involve handling CUI or are subject to specific contract requirements. Other organizations must secure the appropriate maturity level, according to their contracts, to remain eligible for DoD work.
The three different types of contractors who need to comply with CMMC are as follows:
Organizations working only with FCI and that have a FAR 52.204-21 clause in their contract will need CMMC Level 1. These must self-certify their security practices rather than undergo third-party assessment. Contractors must also share the details of their FCI management plan, including information about people, processes, technologies, facilities, and other external providers.
Defense contractors with a DFARS 7021 clause in their contract will need Level 2 certification. Per the mandate, they must undergo a third-party assessment through an accredited C3PAO every three years and complete a self-assessment annually.
Organizations that handle highly sensitive data and have DFARS 7021 clauses in their contract will need the highest level of maturity. To achieve Level 3 certification, they must comply with essential security practices in NIST SP 800-171 and some of 800-172. These organizations must undergo an audit by a Defense Industrial Base Cybersecurity Assessment Center.
CMMC cloud compliance best practices
Below are seven best practices you can implement to achieve CMMC:
1. Understand what level of CMMC certification you need
Review your defense contract carefully to determine the maturity level you need. You can determine your level based on your organization’s expectations, such as how and whether you handle FCI or CUI.
Remember: Level 1 certification is a minimum requirement for securing a defense contract from the DoD. If your organization deals with CUI, you must instead earn Level 2 compliance. Level 3 certification is currently the highest level of attainment.
2. Establish a core team to take care of CMMC compliance
Delegating compliance responsibility to a core team will streamline your security practices. IT teams usually take up this role—but regardless of who’s in charge, someone who can involve all the organization’s stakeholders and keep the project on track at every step must manage CMMC compliance.
You can build your team by incorporating the following roles for compliance:
Executive leadership: Identify a qualified team member to lead compliance initiatives and standards throughout different governing bodies and evolving standards, such as allocating budget, resources, and objectives.
Compliance manager: Choose a leader who can execute and monitor CMMC compliance. This person must communicate with all relevant departments, stakeholders, and their teams to assess and document compliance standards.
Security team members: Train and establish security professionals for CMMC best practices. These security engineers and system architects can place security controls on NIST security practices and monitor logs and actions through consistent security processes.
Training coordinators: Continuously educate your team to improve current compliance standards and position them for future changes and threats. You can implement a DevSecOps approach to ensure that everyone, at every level, understands core compliance expectations.
Auditors: Leverage key team members and solutions like Wiz to find gaps and provide assessments through internal audits. This will allow you to track and remediate potential issues.
3. Determine your CMMC readiness
Implement a self-assessment procedure to determine the state of your cybersecurity and readiness for CMMC compliance. This typically involves evaluating your policies, procedures, and access controls in the following ways:
Add technical controls like multi-factor authentication for cloud applications and endpoint protection.
Establish administrative processes like patch management policies and incident response plans.
Build physical safeguards like server room access logs and physical security measures.
You can better assess your readiness through auditing, analyzing, and reviewing your reporting and communication. For each CMMC practice, you should:
Create documentation: Develop system security plans, procedures, and policies that support requirements.
Conduct interviews: Confirm staff knowledge of security protocols and the documentation process.
Test controls: Create real-world scenarios, like phishing attacks or disaster recovery, to verify technical controls and training.
Remember: self-assessments are only applicable for Level 1 compliance under CMMC 2.0, which focuses on foundational cyber best practices. Levels 2 and 3 require third-party assessments by C3PAOs or government entities to ensure adherence to more advanced cybersecurity requirements.
Thankfully, you don’t have to perform all these steps manually as you prepare and implement CMMC. With solutions like Wiz, for example, you can automate compliance against your current infrastructure and use benchmarks to reach your goals.
4. Limit access to CUI for easy security management
Giving a large group access to CUI will make it difficult to monitor who is accessing the information. For greater control over CUI access, you can restrict access to select personnel and ensure that they receive training on CUI management practices. These steps involve:
Finding systems and data stores that have CUI
Changing your protocols to include role-based access control (and confirming that only the right people and systems can access CUI)
Consistently reviewing access logs for accuracy
Encrypting and securing storage with encrypted drives or cloud environments with strict access logs to safeguard CUI at rest and in transit
Enforcing policy with a CSPM tool like Wiz by automating compliance with frameworks like NIST 800-171 or CMMC to meet federal contractor requirements
5. Build an SSP for CMMC compliance
Creating a system security plan (SSP) will make it easy for you to achieve certification. Your SSP document should include all aspects of your IT ecosystem that host CUI. It should also mention how that information flows through your organization’s authorization and authentication steps.
In essence, an SSP gives you a security profile by defining system boundaries (like AWS environments that handle CUI), listing implemented controls (like AES-256 encryption or SIEM monitoring), and documenting interconnections (like APIs to third-party vendors).
You can implement your plan by following these steps:
Conduct an inventory for your systems that host CUI
Develop an information flow diagram that shows your current authorizations and authentication process
Establish descriptions of your security controls and how to implement them
Create a process for updates based on system changes and CMMC standards
6. Create a POA&M for compliance
A plan of action and milestones (POA&M) is a prioritized roadmap for resolving compliance gaps and aligning security investments with business risk. It translates technical vulnerabilities into actionable items with clear ownership, timelines, and resource requirements.
Be sure to include the following considerations in your plan:
Track your metrics in real time through continuous monitoring.
Adopt automation tools for compliance checks and remediation.
Prioritize action items based on risk and your security picture.
7. Adopt a holistic solution for compliance and security
Clear steps, action plans, and team members are all part of achieving and maintaining CMMC. But you also need something that puts all of these things together to organize your compliance initiatives, improve cloud security through essential tools, and streamline your security posture.
Cloud-native application management platforms like Wiz provide the compliance frameworks and checks you need for automated, efficient data security management. Not only can you implement compliance, but you can also protect your entire cloud infrastructure by:
Gaining complete visibility across your cloud assets
Identifying and mitigating risks through prioritized alerts and action steps
Implementing continuous, agentless scanning to assess your entire cloud infrastructure
Penalties for non-compliance
Any organization that wants to secure a defense contract must comply with CMMC. Preserving the defense supply chain is essential to safeguarding confidential data, which makes CMMC certification non-negotiable.
Additionally, non-compliance with the program could result in serious issues for contractors working with the DoD. Failing to secure certification could leave organizations liable for charges under the False Claims Act (FCA).
Non-compliance with the FCA carries serious consequences, including treble damages and civil penalties that range from $13,508 to $27,018 per false claim. While the DoD doesn’t calculate fines based on the number of unmet controls, organizations that fail to implement Level 2’s 110 requirements risk significant financial liability due to misrepresentation or failure to comply.
Other examples of cybersecurity maturity models
Cybersecurity models provide organizations with frameworks to improve their security. CMMC focuses on the US Defense Industrial base, but many other models exist for specific sectors and purposes.
Here’s a comparison of four specific models:
| Maturity model | Focus | Key characteristics | Governing body |
|---|---|---|---|
| CMMC | Defense supply chain security for defense industrial base contractors |
| US DoD |
| NIST CSF | Foundational cybersecurity framework for all organizations. Alternatives include ISO 27001 and CIS Controls |
| NIST |
| C2M2 | Energy sector security for organizations operating within it |
| Department of Energy |
| HITRUST CSF | Healthcare security for organizations that operate within the industry |
| HITRUST Alliance |
Besides CMMC’s focus on defense contractor security, some key differences between it and other models are that compliance is a mandatory expectation with CMMC, while many frameworks like NIST CSF offer voluntary adherence. CMMC also requires third-party assessment for high levels, where C2M2 asks for self-assessments.
Achieving cloud compliance with Wiz
As we’ve seen, CMMC mandates ways to safeguard the defense supply chain and protect sensitive government data. Meeting compliance directives doesn’t have to be difficult—you just need the right tools.
That’s where Wiz comes in—it leads solutions that help you ensure that your cloud environment complies with multiple industry regulations, including NIST compliance (800-171 and SP 800-53) and FedRAMP. Wiz’s platform also continuously monitors your systems and generates interactive heatmaps to assess your security and compliance posture comprehensively.
Learn more about data governance today with Wiz’s free Guide to Data Governance and Compliance in the Cloud.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
