Cybersecurity Maturity Model Certification (CMMC)

What is the Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) program was developed by the United States Department of Defense to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. Contracts are required to implement progressively advanced levels of controls depending on the type and sensitivity of information that is shared. In November 2021, the Department of Defense announced CMMC 2.0 with an updated structure and requirements. CMMC 2.0 has 3 tiers of certification that are outlined in the following table.

Tier Model Assessment
Level 3 110+ practices aligned with
NIST SP 800-171 and 800-172
Triennial government-led assessments
Level 2 110 practices aligned with
NIST SP 800-171
Triennial third party assessments for critical
national security information, triennial
self-assessment for select programs
Level 1 15 practices

Annual self-assessment & annual affirmation

While many organizations are working towards compliance with CMMC 2.0 requirements, the rulemaking process that will formally implement this program is still in progress.

Who is the intended audience?

The CMMC program applies to contractors and subcontractors of the United States Department of Defense, also commonly referred to as the Defense Industrial Base (DIB).

Where can I find more information?

The following resources can be found on the United States Department of Defense and National Institute of Standards and Technology websites:

How can runZero help me with these controls?

The CMMC 2.0 program aligns with NIST Special Publications 800-171 and 800-172. Each of these standards aligns controls with 14 control families. NIST SP 800-171 defines 110 controls across the 14 control families and NIST SP 800-172 defines additional enhanced security requirements for each control family. The following table illustrates how runZero aligns with each control family. Where Strong alignment is noted, runZero can play a significant role in helping an organization implement safeguards. Where Partial alignment is noted, runZero can play a complementary role in helping an organization implement safeguards.

Control Family Strong alignment Partial alignment
Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident response
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity