The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed the Cybersecurity Maturity Model Certification (CMMC) to assess and certify a company’s maturity of cybersecurity practices and processes. The objective and mandate of the CMMC is that Department of Defense (DoD) contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet a “basic cyber hygiene” and to protect controlled unclassified information (CUI) residing on partner systems. The cybersecurity practices and CUI protection already exist in regulations like Defense Federal Acquisition Regulation Supplement (DFARS) and NIST; however, those standards do not stipulate a third-party assessment to validate cybersecurity effectiveness and maturity, and to provide certification.

The CMMC builds upon established NIST special publications and DFAR regulations (with some additional sources, including UK Cyber Essentials and the Australia Cyber Security Centre Essential Eight maturity model). CMMC comprises 17 capability domains that include 171 practices or controls.