Cybersecurity Maturity Model Certification (CMMC): DOD Compliant Solutions

Carahsoft's Portfolio of CMMC Products & Services

Carahsoft and our partners have assembled products and services to help the defense community address the processes and practices of CMMC. We have organized those products and services by both CMMC Capability Domain and by technology vendor. To get started, select a CMMC Domain or Technology Vendor on the left hand side.

The CMMC Framework Explained

CMMC is the cybersecurity framework used by the DOD to measure their suppliers' cybersecurity maturity and ensure protection of Controlled Unclassified Information (CUI) residing on contractor networks. CMMC organizes cybersecurity processes and best practices into a set of 14 capability domains across 3 maturity tiers. The 3 Maturity Levels of the CMMC Framework are summarized below:

• Level 1: Foundational Security. Basic safeguarding of Federal Contracting Information (FCI) in FAR Clause 52.204-21, 17 practices
• Level 2: Advanced Security. Aligns with the 110 controls and security requirements of NIST 800-171.
Level 3: Expert Security. Full information will be released at a later date but expected to align with the enhanced security requirements of NIST 800-172.

Given the range of information sensitivity by contract, the maturity level required will be determined at the individual contract level. The maturity model is cumulative so that each successive level consists of the practices and processes specified in the preceding level as well as additional controls.

Within the 3 maturity levels of CMMC, the 14 capability domains are derived from the basic safeguarding requirements in FAR Clause 52.204-21, NIST Special Publication 800-171, and NIST Special Publication 800-172. Each domain is comprised of a set of controls that designate a range of cybersecurity and mitigation activities.

The CMMC framework includes an assessment requirement that verifies the execution of the practices by maturity level and standardizes implementation across the DIB. CMMC assessments are carried out through one of three methods depending on maturity level: self-assessment, third party assessment by CMMC Accreditation Body (CMMC-AB) certified assessor, or government assessment.

For more information on CMMC or how to get started on assessing your CMMC needs, please reach out to CMMC@carahsoft.com and a Carahsoft representative will assist you.