CCMC or Cybersecurity Capability Maturity Model certification is the United States Government’s solution to fix low rates of compliance which are associated with NIST SP800-171. The CCMC certification is not optional for companies, entities, or individual organizations who wish to do business with the US Government. It is designed to permit and allow businesses whom have complied and been certified by a credentialed or registered CMMC organization to do business. CMMC is still evolving, and requires indefinite upkeep and professional eyes on. It is intended to protect our US Government, and those who do business with it.

What is the difference between CMMC and NIST?

While NIST SP800171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls. CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. Contact a professional at OSA to understand this further. It is common or good practice to start your evaluation with an initial CUI score. This score is commonly utilized.

Is CMMC based on NIST?

CMMC is based on both DFARS and NIST 800-171 and includes all 110 controls and more. CMMC Version 1.0 was originally made up of 5 maturity levels. Each level builds upon the preceding level.

Since DFARS is still a listed requirement in most government contracts, if you are bidding on a contract or have been awarded the work, you’ll need to be compliant with all 110 NIST 800171 controls in order to fulfill the DFARS clause. DFARS does not address the CMMC at all but a new clause is currently being drafted for this purpose.

CMMC Version 1.0
Level 117 practicesBASIC
Level 272 practices, 2 processesINTERMEDIATE/TRANSITION
Level 3130 practices, 3 processesGOOD
Level 4156 practices, 4 processesPROACTIVE/TRANSITION
Level 5171 practices, 5 processesADVANCED

In March 2021, the DoD performed an internal review of the CMMC requirements and announced changes in November 2021. The updated CMMC Version 2.0 has condensed 5 levels into 3 levels.

The DoD introduced the Plan of Actions and Milestones (POAM) where organizations who have not yet fully implemented 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline.
This POAM is submitted before work begins and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171.

CMMC Version 1.0CMMC Version 2.0ModelAssessment Requirement
Level 1 – (Based on DFARS)LEVEL 1 Foundational17 practices -from NIST 800-171No third party assessment. Do an annual self-assessment and upload score to SPRS
Level 2
Level 3 – (NIST 800-171 )LEVEL 2Advanced110 practices – aligned with NIST 800-171Critical CUI handlers will be assessed by a C3PAO three times a year. Handlers of non-critical CUI will only need a self-assessment, like level 1.
Level 4
Level 5 – (NIST SP 800-172)LEVEL 3 Expert*Over 110+ practices based on NIST 800-172Government-led assessment three times a year.

CMMC certifications can only be issued by a Certified 3rd Party Assessment Organization (C3PAO) but no company has yet been “certified to certify”.
Criticality has not yet been defined which is important to keep in mind for those attempting level 2 maturity.
Guidance has been published to allow companies to prepare for its upcoming implementation, predicted to be within 18-24 months.
*Expert Level 3 has not yet been developed and will be based on NIST SP 800-172.