DOD’s Cybersecurity Maturity Model: What’s Changed and Why It Matters
The Cybersecurity Maturity Model Certification (CMMC) has been a topic of discussion in the federal contracting community since its inception. The latest updates to the model have sparked renewed interest and concern among federal contractors, particularly those in the defense sector. In this article, we’ll break down the changes, explore their implications, and provide guidance for contractors navigating the updated CMMC landscape.
A Brief History of CMMC
The CMMC was first introduced in 2019 as a response to growing concerns over the cybersecurity posture of the defense industrial base (DIB). The model was designed to provide a standardized framework for evaluating the cybersecurity maturity of federal contractors, with the goal of reducing the risk of cyber threats to the DIB. The initial version of the CMMC consisted of five levels of maturity, ranging from basic cybersecurity practices to advanced practices.
The Latest Updates
The latest updates to the CMMC, announced in January 2022, have significant implications for federal contractors. The updates include:
- The consolidation of the five original levels of maturity into three levels: Foundational, Advanced, and Expert.
- The removal of 110 specific cybersecurity practices, with 171 new practices added to the model.
- The introduction of a new third-party assessment process, which will require contractors to undergo an independent assessment to verify their CMMC level.
What Do the Updates Mean for Contractors?
The updates to the CMMC have several key implications for federal contractors:
- Increased complexity: The removal of 110 specific cybersecurity practices and the addition of 171 new ones will require contractors to adapt their cybersecurity programs to meet the new requirements.
- Higher costs: The introduction of a third-party assessment process will require contractors to invest in the services of an independent assessor, which will add to their costs.
- Greater emphasis on cybersecurity: The updated CMMC places a greater emphasis on cybersecurity, which will require contractors to prioritize cybersecurity investments and personnel.
What Contractors Can Do Now
While the updates to the CMMC may seem daunting, there are steps contractors can take now to prepare:
- Review existing cybersecurity practices: Contractors should review their existing cybersecurity practices to determine which ones align with the updated CMMC.
- Invest in cybersecurity personnel and training: Contractors should invest in cybersecurity personnel and training to ensure they have the necessary expertise to meet the updated CMMC requirements.
- Develop a CMMC implementation plan: Contractors should develop a plan for implementing the updated CMMC, including budgeting for the third-party assessment process.
Conclusion
The updates to the CMMC have significant implications for federal contractors, particularly those in the defense sector. By understanding the changes and taking proactive steps to prepare, contractors can reduce the risk of non-compliance and ensure their cybersecurity programs meet the updated CMMC requirements. As the federal contracting community continues to navigate the complex landscape of cybersecurity requirements, one thing is clear: the CMMC is here to stay.
Additional Resources
For more information on the CMMC and its updates, contractors can visit the official CMMC website or consult with a certified CMMC assessor. Additionally, the Department of Defense provides guidance on the CMMC through its official website and various industry events.
“The CMMC is a critical component of our efforts to protect the defense industrial base from cyber threats. We’re committed to supporting contractors as they implement the updated model and ensure the highest level of cybersecurity.”
— Dr. Will Roper, Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics


