Cybersecurity Maturity Model Certification (CMMC): What Small Businesses Should Know

New rules for DoD government contractors on their Cyber Security readiness are rolling out. Learn about the CMMC and how your small business could be affected to stay compliant

What is the Cybersecurity Maturity Model (CMMC)?

The CMMC came about because of several devastating hacks, releasing huge amounts of sensitive DoD information. Previously, the National Institute of Standards and Technology’s (NIST) framework guided security measures. The emergence of foreign, state sponsored cyber threats and increasingly sophisticated hacking techniques have made the need for updated security requirements a matter of urgent national security.

“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.” (* FifthDomain)

With new requirements for receiving federal contracts for the DoD, many small business contractors are wondering if the CMMC will be coming to other government sectors. As the first pilot of its kind, this seems likely. Many interdependencies exist among government institutions and a hole in one sector’s security could impact others. With 17 areas of focus, the following list can make it appear daunting just to remain compliant:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Security
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. Systems and Communications Protection
  17. System and Information Integrity


Who Needs CMMC Certification?

This is a huge question on any government contractor’s mind right now. The Cybersecurity Maturity Model Certification represents a first for cyber security standards (for contractors in general) for the government. Since many attacks on non-DoD government institutions have come from state sponsored entities equipped with “military grade” cyber weapons, it is foreseeable that having a “military grade” cyber defense could become a universal requirement in the next few years.

What Are the CMMC Levels?

“The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.” (* FifthDomain).

There are 5 levels of CMMC certification, each with more stringent requirements than the last. As one can imagine, more sensitive operations require higher levels.

What You Should Know About the CMMC Certification

Here are some key facts that will help you navigate these regulatory waters:

  • At first, this will only be for contractors (and sub contractors) bidding for DoD contracts.
  • Any RFP for the DoD will determine the “CMMC Level” required on a contract by contract basis, with higher levels of compliance and security implementation required for jobs handling increasingly sensitive data.
  • Certification requires a third party auditor, and depending on just how sensitive the data is, possibly more stringent assessments from internal DoD personnel.
  • How long is the certification good for? Unknown as of yet, but exact details are expected to be released.
  • Certification levels are to be made public, although details of how good their security was during the assessment will remain confidential.
  • Cost of certification is considered reimbursable, and according to the government’s site, should not be cost prohibitive.
  • Compromise of systems during a contract does not mean loss of the certification, but might mean a recertification for program managers if deemed necessary by DoD assessors.

How do small businesses  get a Cybersecurity Maturity Model Certification?

First, as mentioned, this will require a third party auditor (an accredited/independent commercial certification organization), in which your company must schedule a CMMC assessment with. They will review your company’s demonstration of appropriate “maturity” in meeting cybersecurity standards.

The type of audit requested will match the CMMC level needed by the company. Your level of CMMC will become public knowledge and the DoD will only be able to see the level, not the details of the audit.


About the Author:

Chase Norlin is the CEO of Transmosis, a nationally recognized Cyber Security Workforce Developer and the creator of CyberOps, a military grade cyber security platform designed to protect small businesses from cyber attack. Norlin is a serial technology entrepreneur that founded the Internet’s first online video-sharing platform and one of the first video search engines, photo sharing services, and video ad networks.


Cybersecurity Maturity Model Certification (CMMC): What Small Businesses Should Know