The Cybersecurity Maturity Model Certification (CMMC), announced in January 2020, requires U.S. Department of Defense contractors to achieve one of five baseline security levels.  The model is a stepped approach that includes 17 domains with a number of security best processes and practices within each domain.  The incremental approach allows organizations to improve their cybersecurity posture over time.  It is very similar to moving upwards in levels in gaming.  The five levels include:

 ProcessesNumber of ProcessesPracticesNumber of Practices
LEVEL 1Performed0Basic17
LEVEL 2Documented+2 (2 total)Intermediate+55 (72 total)
LEVEL 3Managed+1 (3 total)Good+58 (130 total)
LEVEL 4Reviewed+1 (4 total)Proactive+26 (156 total)
LEVEL 5Optimized+1 (5 total)Advanced/Progressive+15 (171 total)

While there is no deadline for CMMC compliance, it will be incorporated as a requirement into new DoD contract request for proposals (RFPs), which will specify the required certification level to participate in various projects.

As organizations rush to comply with the new CMMC, what does it take to get on the playing board with Level 1 certification?

Processes.  There are no required formal processes for CMMC Level 1.  Select practices are documented where required.

Practices.  There are 17 required practices for CMMC Level 1.  They span 6 of the 17 domains and are equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CRF 52.204-21.

AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 
AC.1.003Verify and control/limit connections to and use of external information systems. 
AC.1.004Control information posted or processed on publicly accessible information systems. 
IA.1.076Identify information system users, processes acting on behalf of users, or devices. 
IA.1.077  Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 
MP.1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. 
PE.1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132Escort visitors and monitor visitor activity. 
PE.1.133Maintain audit logs of physical access.
PE.1.134Control and manage physical access devices.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Many organizations likely already implement the basic security best practices required for CMMC Level 1, and filling in any gaps should be easily achieved.

Leveling up to intermediate CMMC Level 2 requires documenting all Level 1 practices, creating a policy that includes all activities, and 55 additional practices that align with NIST SP800-171r1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

SHINE System’s Pyramid of Protection helps organization’s meet regulatory requirements across people, processes, and technology.  The Pyramid of Protection addresses regulatory requirements like CMMC by ensuring strong cybersecurity protections across the areas of policy, practice, and posture.

Pursing the new CMMC requirements may take some effort, especially leveling up to higher levels, but the requirements will strengthen an organization’s security posture.  The CMMC is a game worth playing, so get on the board and start leveling up.

Pursing the new CMMC requirements may take some effort, especially leveling up to higher levels, but the requirements will strengthen an organization’s security posture.  The CMMC is a game worth playing, so get on the board and start leveling up.


Cyber disruptions are increasing in such frequency and severity that it’s no longer a matter of “if” but instead a matter of “when.” Organizations need to prepare. Vulnerabilities lead to erosion of confidentiality, integrity, or availability that may stem from malicious attacks, accidents, or natural occurrences.

SHINE Systems helps customers establish cyber resilience, enabling them to operate in the face of these threats through proactive prevention and detection, streamlined response, and rapid recovery.

For more information on our Cybersecurity services, please call Dr. Angela Orebaugh at 434-322-3000 Ext. 102 or email cyber@SHINESystems.com.

About the Author

This image has an empty alt attribute; its file name is j8G-OQZDuqXd2PP8ivukDGAf8o39FaLRXIe0loZ6plB1pL-8bizRBUdpbbb3qipfRtovVsrc3acsfKzZR0hMnG82gymcAukxTppBTNavDmkhqMkEpZtgXJPU_YZ4-KbbgLynEYU
Photo credit: https://www.scps.virginia.edu/faculty/stories/angela-orebaugh/

Angela Orebaugh, Ph.D. is a technologist, educator, researcher, and author with a broad spectrum of expertise in information technology and security. She synergizes her 20 years of hands-on strategic and technical experiences within industry, academia, and government to advise clients on information technology and security strategy, management, and technologies.