Cybersecurity Maturity Model Certification definition
The Cybersecurity Maturity Model Certification is an assessment framework developed by the US Department of Defense (DoD) for defense industrial base (DIB) contractors. It has been updated to Cybersecurity Maturity Model Certification 2.0 in 2021, moving from five certification levels to just three.
The cybersecurity maturity model certification defines the controls and processes that those working with the DoD must implement to protect their own systems and data. Organizations must periodically undergo assessment to keep their certification under the framework.
Cybersecurity Maturity Model Certification levels
- Level 1: Foundational. Reserved for organizations that only deal with Federal Contract Information (FCI) and are not privy to nationally damaging data, this level prescribes 17 practices that must be followed. The assessment for compliance is carried out by the organization itself.
- Level 2: Advanced. Organizations with level 2 certification may be given Controlled Unclassified Information (CUI) — information that can have implications for national security. If the information is important, the assessment for compliance must be carried out triennially by a third party; if not, the organization is allowed to perform the assessment itself. Cybersecurity Maturity Model Certification level prescribes 110 practices aligned with NIST SP 800-171.
- Level 3: Expert. Reserved for organizations dealing with CUI from the highest priority DoD programs. To achieve this level of certification, the organization must undergo triennial assessments by government officials and third-party assessors. Level 3 prescribes 130 practices based on NIST SP 800-171 and an additional 20 practices from NIST SP 800-172.