Office of the Chief Information Security Officer


Cybersecurity Maturity Model Certification

This information pertains to UW research activities that intend to or currently participate in research sponsored by agencies, offices and commands under the U.S. Department of Defense.

What you need to know

The Cybersecurity Maturity Model Certification (CMMC) is a program established by the United States Department of Defense (DoD) to standardize security practices and processes intended to protect Federal Contract Information (FCI), 48 CFR § 52.204-21 and/or Controlled Unclassified Information (CUI), Executive Order 13556, associated with DoD-funded research.

The CMMC model framework organizes processes and cybersecurity best practices into a set of 17 Capability domains and 5 levels of maturity in practices and processes. CMMC involves an independent third-party assessment (from DoD approved assessors) of an organization’s compliance at a specified maturity level.

Beginning November 30, 2020, DoD will incorporate requirements for CMMC into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts. By October 1, 2025, all DoD contract awards will require CMMC certification to Level 1 at a minimum. CMMC requirements will not be applied retroactively to existing contracts.

The CMMC combines cybersecurity standards and best practices from multiple sources and references:

  • CMMC Level 1, the minimum maturity level for protecting FCI, addresses practices from Federal Acquisition Regulations (FAR) 52.204-21.
  • CMMC Level 3, the minimum maturity level for protecting CUI, includes all of the practices from National Institute of Standards and Technology Special Publication (NIST SP) 800-171r1 as well as others.
  • CMMC Levels 4 and 5 incorporate a subset of the practices from Draft NIST SP 800-172 plus others, and are intended to provide enhanced security to critical technologies and acquisition programs.

Defense Federal Acquisition Regulations (DFARS) clauses that implement CMMC:

  • DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
  • DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)

What you need to do

If you plan to respond to a DoD RFP or RFI that includes the DFARS clauses above, please note the following:

  • You must have adequate cybersecurity measures in place according to the Cybersecurity Maturity Level established by the DoD. The required Level will be noted in the RFP or RFI.
  • You must complete a self-assessment of your security implementation and file the results in the DoD Supplier Performance Risk System (SPRS) by the time of the contract award. (See ‘Resources’ section below for more information on SPRS.)
  • Implementation of these measures will eventually need to be certified by an accredited third party that is external to the University.
  • You may include the costs to implement these measures as a direct cost in your proposal budget, with proper substantiation of cost.


UW CMMC Working Group
The Office of the CISO and the Office of Research have established the UW CMMC Working Group to develop and share best practices, and document guidelines and templates to assist research activities in meeting CMMC requirements. Email the Office of the CISO to join the group.

CMMC Level 1 System Security Plan Template
The Office of the CISO has created a CMMC Level 1 System Security Plan Template (docx) to assist in documenting the security controls necessary to meet the CMMC Level 1 requirements.

Supplier Performance Risk System (SPRS) ‘Quick Entry Guide’

How to file an incident report
In addition to the incident reporting requirements described in Administrative Policy Statement 2.5, please ensure all contract specific incident related requirements are met.

Official CMMC website