DOD Cybersecurity Maturity Model Certification Offers Alternative to Compliance Checklists
Public and private-sector efforts now have a tiered approach to cybersecurity controls.

As part of its effort to increase supply chain security across the board, the Defense Department has developed the Cybersecurity Maturity Model Certification (CMMC) to certify vendors’ cybersecurity controls in the unclassified space. CMMC is designed to ensure that every vendor in the defense industrial base is taking steps to secure its systems and controlled unclassified information (CUI). Rather than focus on meeting a certain number of standards or achieving a level of compliance, the CMMC focuses on implementing a range of controls and cyber hygiene practices, which will be evaluated by third-party assessors and scored based upon levels of maturity.
The current guidelines underscore that the framework is part of an effort to reduce the estimated $600 billion loss to the U.S. economy due to IP theft, economic espionage and other forms of malicious cyber activity. While the defense industrial base is not the sole target, cybercrime and other malicious activity represents not only an economic threat, but also a threat to national security.
The CMMC is not meant to be a new checklist, explained Katie Arrington, chief information security officer for the Defense Department’s Assistant Secretary for Acquisition, but a metric for DOD to evaluate vendors’ cybersecurity programs across five levels of maturity.
Level 1 consists of “basic, low- or no-cost” measures that every company should be able to perform.
“If you’re listening to this webcast, you should be doing these things,” Arrington said on a webinar April 1.
Vendors must achieve at least level-three certification to do business with the DOD. It is a major leap from level one, requiring that vendors implement incident reporting mechanisms, encrypt all CUI on mobile devices and 111 other measures. These measures are essential for “good cyber hygiene,” but may be difficult for a small business to implement, Arrington explained. CMMC level two was designed as an intermediate step for those businesses, requiring only 55 of the 113 measures between levels one and three, including implementing “the principle of least privilege” and monitoring remote access on company systems. Even if levels one and two are not enough to access DOD CUI, they are important for businesses to chart their progress on the path to a level-three certification, rather than receiving a notification that they do not yet meet the level-three standard.
Arrington emphasized that the CMMC is still under development and that to date, no vendor has a CMMC certification nor is an accredited auditor. She also dispelled the myth that any vendor is “NIST certified.” While the CMMC is based upon the existing National Institute for Standards and Technology (NIST) Special Publication 800-171, NIST does not offer certifications.
Once the CMMC framework is implemented, vendors in the defense industrial base will have the opportunity to have their entire enterprise network certified at one of the five levels or focus on certification for one segment if that is more practical for their business, CMMC 1.0 states.
Arrington said she does not expect the COVID-19 pandemic to slow down CMMC development, underscoring that cybersecurity concerns have not gone away, nor will they. For now, DOD is making sure to avoid organizational conflicts of interest (OCI) in how it designs its program. Contractors who assist in designing the specific metrics for CMMC will not be awarded the contract to audit DOD vendors, she said, nor will auditors audit themselves once the framework is in place.
Following CMMC implementation, the pace of acquisition may slow in the short term, but ensuring every business in the defense industrial base is properly certified is essential for long-term security and efficiency.
“We are not going to move to a contract award until everyone who submits a contract bid has an opportunity to get certified,” Arrington said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
AI Foundations Driving Government Efficiency
Federal agencies are modernizing systems, managing risk and building trust to scale responsible AI and drive government efficiency.
43m watch -
Inside DOD’s Push to Grow the Cyber Workforce Through Academia
Diba Hadi gives her first interview since becoming principal director of the DOD’s Cyber Academic Engagement Office.
15m listen -
Agencies Tackle Infrastructure Challenges to Drive AI Adoption
Federal agencies are rethinking data strategies and IT modernization to drive mission impact and operational efficiency as new presidential directives guide next steps.
5m read Partner Content -
Generative AI Demands Federal Workforce Readiness, Officials Say
NASA and DOI outline new generative AI use cases and stress that successful AI adoption depends on strong change management.
6m read -
The Next AI Wave Requires Stronger Cyber Defenses, Data Management
IT officials warn of new vulnerabilities posed by AI as agencies continue to leverage the tech to boost operational efficiency.
5m read -
Federal CIOs Push for ROI-Focused Modernization to Advance Mission Goals
CIOs focus on return on investment, data governance and application modernization to drive mission outcomes as agencies adopt new tech tools.
4m read -
Fed Efficiency Drive Includes Code-Sharing Law, Metahumans
By reusing existing code instead of rewriting it, agencies could dramatically cut costs under the soon-to-be-enacted SHARE IT Act.
5m read -
Agencies Push Data-Driven Acquisition Reforms to Boost Efficiency
New initiatives aim to increase visibility of agency spending, improve data quality and create avenues to deploy solutions across government.
5m read -
Data Transparency Essential to Government Reform, Rep. Sessions Says
Co-Chair of the Congressional DOGE Caucus Rep. Pete Sessions calls for data sharing and partnerships to reduce waste and improve efficiency.
5m read -
DOD Turns to Skills-Based Hiring to Build Next-Gen Cyber Workforce
Mark Gorak discusses DOD’s efforts to build a diverse cyber workforce, including skills-based hiring and partnerships with over 480 schools.
20m listen -
Trump Executive Order Boosts HBCUs Role in Building Federal Tech Workforce
The executive order empowers HBCUs to develop tech talent pipelines and expand access to federal workforce opportunities.
3m read -
Navy Memo Maps Tech Priorities for the Future Fight
Acting CTO’s memo outlines critical investment areas, from AI and quantum to cyber and space, as part of an accelerated modernization push.
5m read