Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

What is Cybersecurity Maturity Model Certification (CMMC)?

Cybersecurity Maturity Model Certification (CMMC) is an evaluation designed for Defense Industrial Base (DIB) contractors.

Wiz Experts Team
6 min read

Cybersecurity Maturity Model Certification (CMMC) is an evaluation designed for Defense Industrial Base (DIB) contractors. CMMC ensures DIB contractors meet basic cybersecurity requirements when handling controlled unclassified information (CUI).

Although the U.S. Department of Defense has provided cybersecurity guidelines to contractors for a long time, it established the CMMC in 2020. Every contractor must earn this certification to be eligible to develop and supply products and services to the DoD. 

CMMC requires all DoD contractors to undergo a third-party cybersecurity assessment. This evaluation is done by the CMMC Assessors and Instructors Certification Organization (CAICO) and Certified Third-Party Assessor Organizations (C3PAOs)—firms trained and certified by the CMMC Accreditation Body to assess every contractor.

The need for CMMC in the defense supply chain 

Traditionally, defense contractors were required to meet cybersecurity standards established by the NIST SP 800-171 framework through self-attestation. However, this led to a weak security stance and several breaches, including the infamous SolarWinds attack. 

CMMC, aimed at better assessing, monitoring, and securing the defense supply chain, covers roughly 350,000 firms in the DIB. Initially, the CMMC program offered five certification levels, which have been condensed into three levels under CMMC 2.0. (When the CMMC program was renewed, the DoD decided to eliminate Levels 2 and 4 for a more compact assessment.) Similar to the old version, the maturity level in CMMC 2.0 is determined by the sensitivity of the data handled during the contract period. Let’s take a more in-depth look.

The different maturity levels of CMMC

CMMC 2.0 Levels 1–3 vs. CMMC 1.0 Levels 1–5

Level 1: Foundational

The most basic maturity level requires you to practice minimum cybersecurity measures like patch updates and password management. It covers 17 controls described in 48 CFR 52.204-21 standards.

Level 1 certification aims to reduce risk for companies that manage data. Organizations don’t need documentation to implement these foundational security requirements. Instead, they can self-assess their readiness for Level 1 compliance. DIB contractors who handle federal contract information (FCI), which isn’t critical, must attain Level 1 certification.

Level 2: Advanced

CMMC 2.0 Level 2 certification is a must for companies that deal with controlled unclassified information (CUI). Level 2 mandates intermediate cyber hygiene by implementing 14 domains and 110 security controls from NIST 800-171. In addition to the practices outlined in Level 1, Level 2 stipulates that organizations must document their security processes and guidelines.

At Level 2, contractors must undergo an assessment process by C3PAOs every three years. Since they manage information critical for national security, these organizations must also conduct annual self-assessments.

Level 3: Expert

As the highest level of CMMC certification, Level 3 involves stringent security policies based on NIST SP 800-171 & 172 standards. Level 3 covers threat detection and remediation strategies, data protection, and system hardening exercises. Organizations are prepared to tackle advanced persistent threats (APTs) at this maturity level.

Core aspects of CMMC compliance

CMMC was introduced to cover three key objectives:

  • Safeguarding sensitive information that could challenge national security

  • Setting a cybersecurity standard for companies securing defense contracts

  • Making defense contractors accountable for securing government data

The CMMC framework comprises three key aspects to achieve these objectives: Domains, Practices, and Capabilities. Let’s go over them briefly.


CMMC 2.0 is organized into 14 cyber domains, or sets of security practices grouped by their attributes. The domains defined under the new version of CMMC are:

NumberCyber Domain
1Access Control (AC)
2Awareness and Training (AT)
3Audit and Accountability (AU)
4Configuration Management (CM)
5Identification and Authentication (IA)
6Incident Response (IR)
7Maintenance (MA)
8Media Protection (MP)
9Personnel Security (PS)
10Physical Protection (PE)
11Risk Assessment (RA)
12Security Assessment (CA)
13System and Communications Protection (SC)
14System and Information Integrity (SI)
CMMC 1.0 had 17 domains, which were reduced to 14 in CMMC 2.0


These describe the specific security practices you must implement to safeguard information. Spread across 14 security domains, there are 110 practices.


Capabilities are best practices, processes, and tactics that organizations must employ for robust security. The DoD removed some capabilities from CMMC 2.0 that were explicitly mentioned in CMMC 1.0.

Who needs to comply with CMMC?

The DoD has mandated that every defense contractor should achieve CMMC certification by 2026. While commercial-off-the-shelf (COTS) vendors are exempted from certification requirements, other organizations must secure the maturity level listed in their contract. The three different types of contractors who need to comply with CMMC are as follows:

  • Organizations that work only with FCI and have a FAR 52.204-21 clause in their contract will need CMMC Level 1. They do not require third-party assessment. Instead, they must self-certify their security practices. Contractors are instructed to share the details of their FCI management plan, including information about people, processes, technologies, facilities, and other external providers involved. 

  • Defense contractors that will need Level 2 certification are those who have a DFARS 7021 clause marked in their contract. Per the mandate, they must undergo third-party assessment through an accredited C3PAO every three years and complete a self-assessment annually.

  • Organizations with DFARS 7021 clauses in their contract that handle highly sensitive data will need the highest level of maturity. To achieve Level 3 certification, they must comply with essential security practices listed in NIST SP 800-171 and some of 800-172. Full details of Level 3 certification have yet to be formalized. Regardless, organizations must undergo an audit by a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Penalties for non-compliance

Any organization that wants to secure a defense contract must comply with CMMC. It’s essential to safeguard confidential data by ensuring the defense supply chain, making CMMC certification non-negotiable. Moreover, non-compliance with the program could result in serious issues for contractors working with the DoD.

Failing to secure certification could leave organizations liable to face charges under the False Claims Act (FCA). The FCA, introduced under the Civil Cyber-Fraud Initiative, can penalize companies as much as $10,000 per control. Considering there are 110 controls in Level 2, the total penalty might reach $1 million or more.

CMMC cloud compliance best practices

We’ve seen why complying with CMMC is critically important for defense contractors. However, the road to achieving CMMC compliance is paved with challenges. To mitigate those challenges, follow this seven-step checklist of best practices to earn maturity certification:

1. Understand what level of CMMC certification you need

Level 1 certification is a minimum requirement for securing a defense contract from the DoD. You must earn Level 2 compliance if your organization deals with CUI, and Level 3 certification is the highest level of attainment. Review your defense contract carefully to learn which maturity level you need.

2. Establish a core team to take care of CMMC compliance

Delegating the responsibility of compliance requirements to a core team will streamline your security practices. IT teams usually take up this role; regardless of who is in charge, CMMC compliance must be managed by someone who can involve all the organization's stakeholders and keep the project on track at every step.

3. Determine your CMMC compliance readiness

Implement a self-assessment procedure to determine the state of your cybersecurity and readiness for CMMC compliance. This typically involves evaluating your policies, procedures, and access controls.

4. Limit access to CUI for easy security management

Giving access to CUI to a large group will make it hard to keep tabs on who is accessing the information. Restrict its access to select personnel and ensure they are trained on CUI management practices.

5. Learn your compliance score through an RPO

Before you undergo the CMMC compliance process, you must understand your security posture. Collaborate with a CMMC Registered Provider Organization (RPO) to evaluate the compliance gaps within your organization. A third-party assessment will highlight any aspects you may have missed during the self-assessment.

6. Build a system security plan (SSP) for CMMC compliance

Creating an SSP will make it easy for you to achieve certification. The SSP document should include all the aspects of your IT ecosystem that host CUI. It should also mention how that information flows through your organization through authorization and authentication steps. In essence, an SSP gives you a security profile.

7. Create a plan of action and milestones (POA&M) for compliance

Achieving CMMC compliance is a journey that necessitates securing your system end to end. To do so, you need a clear strategy detailed in a POA&M that outlines steps to strengthen your cybersecurity by eliminating vulnerabilities. 

Achieving cloud compliance with Wiz

As we’ve seen, CMMC mandates ways of safeguarding the defense supply chain to protect sensitive government data. The Federal Information Security Management Act (FISMA), which is aimed at government agencies and private corporations managing public data, is another important regulation organizations must comply with. 

It doesn’t have to be difficult to meet compliance directives—you just need the right tools. Wiz is a leading solution that assesses your cloud environment against multiple industry regulations, including NIST 800-171, NIST SP 800-53, and FedRAMP. Wiz continuously monitors your systems and generates interactive heatmaps to deliver comprehensive visibility of your security and compliance posture.

Schedule a demo today to learn how Wiz can simplify all your compliance management needs.

100+ Built-In Compliance Frameworks

See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.

Get a demo

Continue reading

Azure Security Risks & Mitigation Steps

Wiz Experts Team

This article offers an extensive examination of Azure environments’ most pressing security risks along with suggested approaches for effectively mitigating these challenges.

Remote Code Execution Attacks Explained

Wiz Experts Team

Remote code execution refers to a security vulnerability through which malicious actors can remotely run code on your systems or servers.

Understanding Cloud Security Risks

Wiz Experts Team

A cloud security risk is any threat that might impact the confidentiality, integrity, and availability (CIA) of data and applications hosted in the cloud.

Cloud Sprawl Explained

Wiz Experts Team

Cloud sprawl is a phenomenon that involves the unmanaged growth of cloud-based resources and services.

CSPM vs DSPM: Why You Need Both

Wiz Experts Team

Discover the similarities between CSPM and DSPM, what factors set them apart, and which one is the best choice for your organization’s needs.

Container monitoring explained

Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.