The Cybersecurity Maturity Model Certification (CMMC) proceeds within initial timelines. Currently the credential is planned to be phased into new DoD contracts starting in Q3 2020. As such, it is critical that all the organizations affected continue to plan for the needs. In this blog, we’ll look at better explanation of the framework terms and structure.

The CMMC Accreditation Body has been developed in current developments and has organized the CMMC Quality Management Working Groups, with the goals of improving the CMMC Standards and Specifications Evaluation Guide and establishing the Rates of Training and Learning Objectives for Certification Assessment Criteria. Additional working groups were created, and you can find the information here.

All contractors and subcontractors operating with the US will need CMMC approval if you do work with the DoD. The aim is to strengthen the security of this knowledge within the supply chain of the Department of Defense. Though CMMC primarily leverages existing standards and regulations such as FAR Clause 52.204-21 and Special Publication of the National Institute of Standards and Technology (NIST)(SP) 800-171, it also draws from other best practices.

Under CMMC, for DoD contracts to be awarded, organisations can no longer self-assess against 800-171. Alternatively, companies would need to be approved by the CMMC accredited third party evaluation companies (C3PAOs). Both DoD and the CMMC accreditation body encourage organizations to perform self-assessments on compliance with CMMC until a C3PAO official evaluation.

Version 1 of CMMC was released on January 30, and since then, they have made sligh revisions, version 1.02, was released in March. To understand the structure of the CMMC you need to understand how the different elements function together.

Understanding the different elements of the Cybersecurity Maturity Model Certification (CMMC)

Image source: Cybersecurity Maturity Model Certification (CMMC) Version 1.02, March 18, 2020, page 3


There are a total of 171 practices mapped across the five levels of CMMC maturity.

  • Level 1: 17 practices
  • Level 2: 72 total practices (17 Level 1 + 55 additional)
  • Level 3: 130 total practices (72 Level 2 + 58 additional)
  • Level 4: 156 total practices (130 Level 3 + 26 additional)
  • Level 5: 171 total practices (156 Level 4 + 15 additional)

The practices are derived primarily from the following sources:


As mentioned earlier, it’s no longer enough to have mature practices in place. You must also be able to demonstrate process maturity—institutionalization of the practices—to achieve certification at the maturity levels. Keep in mind, process maturity is evaluated differently than practice maturity, but both are required.

Through leveraging the immense expertise of our consulting team, Diriga Technologies can provide readiness assessments for your company regarding any level of CMMC. We will look at the application of information governance and technology controls within your company to help address the concerns you are likely to have about process institutionalization. Additionally Diriga Technologies offers CMMC solutions that can meet CMMC practice requirements.