CMMC 1.0 Model

What are the CMMC requirements?

** NOTE – This article is specific to CMMC 1.0.  There are new guidelines for CMMC 2.0 which we will be publishing a separate post about.**

The Cybersecurity Maturity Model Certification (CMMC 1.0) framework is designed to assess and certify the cybersecurity practices and processes of Department of Defense (DoD) contractors and subcontractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

The CMMC framework includes five levels of maturity, each with a set of practices and processes that must be met in order to achieve certification. The higher the level of certification, the more rigorous the cybersecurity practices and processes required.


The specific requirements for each level of CMMC 1.0 certification include:

Level 1: Basic Cyber Hygiene

Protect Federal Contract Information (FCI) and follow basic cyber hygiene practices

Level 2: Intermediate Cyber Hygiene

Establish and document standardized cybersecurity policies and practices

Implement and practice cybersecurity controls and processes

Level 3: Good Cyber Hygiene

Establish and maintain a plan for managing cybersecurity risks

Document and review security policies and procedures

Conduct regular vulnerability assessments and maintain a cybersecurity incident response plan

Level 4: Proactive

Implement advanced cybersecurity controls and processes to detect and respond to advanced persistent threats (APTs)

Implement advanced techniques for continuous monitoring and proactive threat hunting

Level 5: Advanced/Progressive

Develop and optimize advanced cybersecurity practices and processes tailored to the organization’s specific risks and threats

Continuously improve and evolve cybersecurity practices and processes through innovation and best practices

Overall, the CMMC 1.0 requirements are designed to ensure that DoD contractors and subcontractors have appropriate cybersecurity measures in place to protect sensitive information from cyber threats. Companies that handle CUI or FCI must comply with the CMMC 1.0 requirements in order to do business with the DoD.