DoD recently released the seventh draft iteration (Version 0.7) of the Cybersecurity Maturity Model Certification (CMMC) with plans to release the beta version (1.0) — the final guidance — in late January 2020.

This paves the way, industry has been repeatedly advised, to the inclusion of CMMC requirements in DoD solicitations.

The introduction to the 190-page document produced under DoD contract to Carnegie Mellon University and Johns Hopkins Applied Physics Lab, follows:


The United States Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is working with the Defense Industrial Base (DIB) sector to enhance the protection of sensitive data – namely, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), within the supply chain. The theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 [46]. Moreover, the Center for Strategic and International Studies estimates that the cost of cybercrime worldwide is approximately $600 billion [80]. The majority of this IP theft is directly attributable to poor cybersecurity maturity and ineffective implementation of controls necessary to protect sensitive data.

The sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition. Towards that end, OUSD(A&S) is working with DoD stakeholders, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and incorporates practices from multiple sources such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [11,12,47,4]. CMMC also adds a certification element to verify implementation of cybersecurity requirements. CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to subcontractors in a multi-tier supply chain. With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).

CMMC Versions 0.4 and 0.6 were released for public review in September and November 2019, respectively. CMMC Version 0.7 includes Level 4-5 practices and modifies some maturity processes and Level 1-3 practices.

The DoD is releasing this draft version to support the public’s continued review of the draft model in preparation for the release of the CMMC Model Version 1.0 at the end of January 2020. Section 2 describes the model framework, including levels, capability domains, and processes. Section 3 provides instructions on how to read the model. Appendix A presents the latest version of the CMMC Model. Appendices B, C, and D present the practice clarifications for CMMC Levels 1-3, respectively. This document also provides key references, a glossary of terms, and a list of acronyms.