Cybersecurity Maturity Model Certification

Play Video

What is CMMC?

The Cybersecurity Maturity Model (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defence (DoD). It builds upon existing regulation (DFARS 252.204-7012) that requires DoD contractors and subcontractors to safeguard information within the US supply chain using a self-certification method. The new risk management framework (RMF) adds a verification component that requires the employment of third-party auditors to conduct the audit and certification process. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision” when selecting suppliers.

Trust Hogen’s CMMC solution provides excellent coverage of the practices specified within CMMC requirements for both audit requirements and improvement of cyber hygiene.

A summary of CMMC requirements

The CMMC RMF provides a means of improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of information to be protected and the range of threats:

Level 1

Safeguard Federal Contract Information (FCI)

Level 2

Serve as Transition step in cybersecurity maturity progression to protect (CUI)

Level 3

Protect Controlled Unclassified Information (CUI)

Level 4 - 5

Protect CUI and reduce risk of Advanced Persistent Threats (APT’s)

CMMC Maturity Levels

Suppliers who handle Controlled Unclassified Information (CUI) will need to be audited and obtain certification from a third-party auditor that appropriate maturity in processes and practices are being achieved.

The model consists of capabilities, processes and practices organised into a set of domains that are mapped across five maturity levels. The model is cumulative, which means that in order to achieve a desired maturity level, an organisation must also demonstrate achievement of the preceding lower levels. The 17 domains are summarised below. Full details can be found on the official government site here.

Access Control (AC)

Asset Management (AM)

Audit and Accountability (AU)

Awareness and Training (AT)

Configuration Management (CM)

Identification and Authentication (IA)

Incident Response

Maintenance (MA)

Media Protection (MP)

Personal Security (PS)

Physical Protection (PE)

Recovery (RE)

Risk Management (RM)

Security Assessment (CA)

Situaltional Awareness (SA)

System and Communications Protections (SC)

Risk Management (RM)

About CMMC Levels

The Cybersecurity Maturity Model Certification Framework is designed to assess and improve Cyber security posture.

CMMC is specifically design to focus on protecting 2 key types of information:

  • FCI – Federal Contact Information
  • CUI – Controlled unclassified information.

CMMC is not brand new- it incorporates standards from several legislative clauses into one overarching cybersecurity umbrella. 2 standards in particular form the backbone:

  • NIST SP 800-171
  • 48 CFR 52.204-2

  • CMMC has a staged model for assessing Maturity, depending on the companies level of compliance a certification level of 1 -5 is awarded.

  • The level required is normally dependent on the type of information being handled.

  •  As CMMC is a complex model it is broken down into a number of elements to support assessment:
    • 5 Certification levels
    • 17 Domains
    • 43 Capabilities
    • 173 Practices

  • CMMC: Levels 1 -3 certifications, measure a basic level of maturity (1) to managed processes (3)
  • Levels 4 & 5 are for more mature companies with optimised process and the ability to resist sophisticated forms of cyber attack also known as Advanced Persistent Attacks (APTs)

  • CMMC level 4 requires pro-active processes to manage and prevent cyber attacks and processes that are consistently and regularly reviewed for effectiveness.

  • Requirements are specifically focussed on protecting CUIs (controlled unclassified information) sets from cyber threats and attacks, specifically Advanced Persistent Threats (APTs)

  • At a minimum organisations will have sophisticated threat detection and monitoring systems alongside dynamic prevention and response capabilities.

  • Alongside this organisations will be able to internally report on cyber controls effectiveness and take corrective actions as appropriate when potential weaknesses are identified.


  • CMMC level 5 is the pinnacle of Cyber maturity, Full standardization of the optimised processes and controls identified in level 4 are expected to be in place across the whole organization.

  • Similar to level 4 requirements are specifically focussed on protecting CUIs (controlled unclassified information) sets from cyber threats and attacks, specifically Advanced Persistent Threats (APTs)

  • The depth and sophistication of the organizations’ cybersecurity capabilities is expected to be at an extremely high level.

  • Ability to optimise and capability to repel APTs is expected.


For a free consultation please contact us today on +44 020 4538 6669 or email