Cybersecurity Maturity Model Certification (CMMC) is starting to become the talk of the town. It’s a program established by the US Department of Defense (DoD) intended to improve security by requiring certification of external contractors.

CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems. In the past, contractors have been responsible for implementing, monitoring and self-assessing the security of their IT systems and any sensitive DoD information that was stored on or transmitted by those systems. With more than 300,000 contractors, and the fact that the defense industrial base (DIB) is under constant threat of cyber warfare, you can understand why this program is necessary. It is a matter of national security, especially post SolarWinds.

So, understanding the ‘why’ is easy enough, but a little more difficult can be understanding the ‘what’. The CMMC framework consists of multiple domains, maturity levels, and practice areas – it can be overwhelming to figure out what all this means and where to start.

I think it’s best to begin by looking at the different components that make up the CMMC framework:


There are 17 different domains in the CMMC framework. Each domain is essentially a category or grouping of security practices. Most of them have been pulled from recognized standards like the Federal Information Processing Standards (FIPS), and the National Institute of Standards and Technology (NIST).


cmmc graphic


The 17 CMMC domains.

Dark purple represents the domains where Entrust can help achieve compliance.



Spanning across the 17 domains, there are a total of 171 practices. Each domain contains its own set of practices that detail what is required in order to achieve compliance for that particular domain. But not each practice is created equal. There are different levels of maturity – five in total – that the practices fall under, representing the different levels of CMMC compliance.


As mentioned, there are five maturity levels in the CMMC model. To achieve a particular CMMC level – you need to demonstrate both practices and processes.

Here’s a quick overview of the practices and processes associated with each level:

Level 1

  • The practice label is here basic, representing basic cyber hygiene.
  • The process is performed, meaning an organization is simply required to perform the particular practice to achieve this level of compliance

Level 2

  • The practice is intermediate cyber hygiene
  • The process is documented, meaning the organization needs to establish practices and policies, and document them in relation to performing the CMMC practices

Level 3

  • The practice is good cyber hygiene; and this one really focuses on the protection of Controlled Unclassified Information (CUI) and includes all the security requirements specified in NIST
  • The process is managed, and this requires a more elaborate plan that goes past just documenting practices and policies, but also demonstrating the management of those activities on an ongoing basis

Level 4

  • The practice is proactive, focusing more on the detection and response capabilities of organizations
  • The process is reviewed, which requires organizations to review and measure their practices for effectiveness

And finally, Level 5

  • The practice is advanced, and simply alludes to the increased sophistication of cybersecurity capabilities at this level
  • The process is optimizing, which requires the organization to standardize and optimize their processes

cmmc maturity levels graphic

The 5 levels of maturity in the CMMC framework.

Level 3 compliance is the baseline for good cyber hygiene.


As seen in the image above, each level as a number of practices underneath it – 17 practices under level 1, 72 practices under level 2, all the way up to 171 practices under level 5. The number grows with each level because they are cumulative. For example, this means if you want to achieve a level 3 in a particular domain, you also need to demonstrate achievement in levels 1 and 2. As well, please note that DoD is still defining many of the practice areas for Level 4 and 5 maturity across domains.

And there you have it, the basic components of CMMC explained.

Although we are a few years away from all DoD contracts requiring some level of CMMC compliance, CMMC requirements started to pop up in bids this past fall. Not to mention other US government organizations – including DHS (and even other governments!) – are looking to apply this type of framework for their own purposes and security. Now is the time to start looking at CMMC requirements and ensure your organization is compliant.

Learn more Entrust CMMC compliance solutions.