top of page

Cybersecurity Maturity Model Certification (CMMC)

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) will soon be a new requirement for government and DoD contractors.

CMMC is designed to provide the DoD assurance that contractors can adequately protect CUI (Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls). The CMMC will be included in RFIs and RFPs in 2020 and will eventually be mandatory for all prime contractors and subcontractors.

CMMC Levels

The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”.


Level 1

  • Processes: Performed

Requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

  • Practices: Basic Cyber Hygiene

Focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

Level 2

  • Processes: Documented

Requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.

  • Practices: Intermediate Cyber Hygiene


Serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

Level 3

  • Processes: Managed

Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

  • Practices: Good Cyber Hygiene

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as 20 additional practices to mitigate threats. Any contractor with a DFARS clause n their contract will need to at least meet Level 3 requirements. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

Level 4 

  • Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

  • Practices: Proactive

Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.

Level 5 

  • Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

  • Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

CMMC Timeline

The CMMC program is currently under review by the DoD. However, the DoD added CMMC Level Requirements to DoD contract Requests for Information (RFIs) in 2021. CMMC Level requirements already started with an estimated 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense in 2021. This will grow to:

  • 75 in 2022,

  • 250 in 2023,

  • 325 in 2024, and

  • 475 in 2025. 


At this time, for those contracts, CMMC certification is being used as the basis for “go/no go” decisions. 


Approximately 1,500 primes and subcontractors were affected in the first round of implementation. The roll-out will continue over a five-year period, with the expectation that all new DoD contracts will include CMMC requirements by Fall 2026.

How can Ratel Cybersecurity Help you?

Ratel Cybersecurity CMMC RPs can help your organization prepare for  and implement CMMC requirements. For more information, contact us.

bottom of page