Phone 202 839-5563 


Cybersecurity Maturity Model Certification CMMC

CMMC v07 Released

cmmc .07

DoD is releasing this latest version so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. 

Get a copy of the Cybersecurity Maturity Model.


CMMC Accreditation Body Kickoff Meeting

Information Last Updated: November 7, 2019

The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) appreciates the responses received to the Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.

As a follow on activity, OUSD(A&S) is organizing a CMMC Accreditation Body Kickoff meeting for organizations and/or individuals interested in performing the following key functions associated with a CMMC Accreditation Body.

  • Establish the CMMC Accreditation Body inclusive of a Board of Directors. The CMMC Accreditation Body will set the terms and conditions for accrediting CMMC Third-Party Assessment Organizations (C3PAOs).
  • The CMMC Accreditation Body will provide oversight for CMMC accreditations and assessments, including managing and providing all associated processes (e.g., quality control, training, dispute resolution, database and records management). The CMMC Accreditation Body will liaise with the Department of Defense regarding the CMMC assessments of individual companies.

The purpose of this meeting is to address only these key topics and requirements associated with forming a CMMC Accreditation Body. This kickoff meeting will not discuss or address any requirements associated with creating C3PAOs or the incorporation of assessment tools or infrastructure. The intent is for the Accreditation Body to address C3PAO and assessment tool requirements after it has formed.

The Accreditation Body kickoff meeting will be held on November 19, 2019, from 09:00 AM to 12:00 PM at the NRECA Conference Center, 4301 Wilson Blvd, Plaza level, Arlington, Virginia, 22203, and will be hosted by Professional Services Council. Please arrive no later than 08:30 AM to sign in and be seated. In order to support maximum participation from parties interested in forming the CMMC Accreditation Body, each organization should limit their participation to no more than two (2) representatives. Participants must register for this event no later than November 14, 2019 at to guarantee a seat.

About the Cybersecurity Maturity Model Certification CMMC

“ We need risk management solutions to assess, measure, and mitigate risk in real time across multi tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment .”
Kevin Fahey DoD
The Honorable Kevin Fahey,
Assistant Secretary of Defense for Acquisition​

The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.

The new standard and maturity model will be named Cybersecurity Maturity Model Certification (CMMC)

The CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.

The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.

The CMMC must be semi-automated and, more importantly, cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1.

The CMMC model will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3rd party will maintain the standard for the Department.

The CMMC will include a center for cybersecurity education and training.

The CMMC will include the development and deployment of a tool that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain

Department of Defense logo
cost performance schedule security

Cost Schedule and Performance

are only effective in a secure environment.

To succeed with Deliver Uncompromised requires commitment at the enterprise rather than the element level—for the Department and for its contractor base.

Given the threat environment and its consequences for DoD, this report identifies a number of strategic elements—courses of action (COAs)—to address the cyber and supply chain security challenge.

We classify actions into short term (ST), medium term (MT), and long term (LT), based on how quickly and urgently the Department should initiate action.

The COAs are listed and described in more detail further in the report