Cybersecurity Maturity Model Certification
This information pertains to UW research activities that intend to or currently participate in research sponsored by agencies, offices and commands under the U.S. Department of Defense.
What you need to know
The Cybersecurity Maturity Model Certification (CMMC) is a program established by the United States Department of Defense (DoD) to standardize security practices and processes intended to protect Federal Contract Information (FCI), 48 CFR § 52.204-21 and/or Controlled Unclassified Information (CUI), Executive Order 13556, associated with DoD-funded research.
The CMMC model framework organizes processes and cybersecurity best practices into a set of 14 security requirement families at three levels, Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). CMMC involves annual self-assessments for Level 1 and some Level 2, and triannual independent third-party assessments from DoD approved assessors of an organization’s compliance level for the remaining Level 2 and all Level 3.
Once finalized, the DoD will incorporate CMMC 2.0 requirements into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts. Once fully implemented, all DoD contract awards will require CMMC certification to Level 1 at a minimum. CMMC requirements will not be applied retroactively to existing contracts.
The CMMC combines cybersecurity standards and best practices from multiple sources and references:
- CMMC Level 1, the minimum maturity level for protecting FCI, addresses practices from Federal Acquisition Regulations (FAR) 52.204-21.
- CMMC Level 2, the minimum maturity level for protecting CUI, includes all of the practices from National Institute of Standards and Technology Special Publication (NIST SP) 800-171r1.
- CMMC Level 3 incorporates a subset of the practices from Draft NIST SP 800-172 that are intended to provide enhanced security to critical technologies and acquisition programs.
Defense Federal Acquisition Regulations (DFARS) clauses that implement CMMC:
- DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
- DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
- DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
- DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)
What you need to do
If you plan to respond to a DoD RFP or RFI that includes the DFARS clauses above, please note the following:
- Your sponsor may require you to have adequate cybersecurity measures in place according to the Cybersecurity Maturity Level established by the DoD. The required Level will be noted in the RFP or RFI.
- You may need to complete a self-assessment of your security implementation and file the results in the DoD Supplier Performance Risk System (SPRS) by the time of the contract award. (See ‘Resources’ section below for more information on SPRS.)
- For all Level 1 and some Level 2, implementation of these measures must be self-assessed and recertified annually.
- For some Level 2 and all Level 3, implementation of these measures will eventually need to be certified triannually by an accredited third party that is external to the University.
- You may include the costs to implement these measures as a direct cost in your proposal budget, with proper substantiation of cost.
CMMC Level 1 System Security Plan Template
The Office of the CISO has created a CMMC Level 1 System Security Plan Template (docx) to assist in documenting the security controls necessary to meet the CMMC Level 1 requirements.
Supplier Performance Risk System (SPRS) ‘Quick Entry Guide’
How to file an incident report
In addition to the incident reporting requirements described in Administrative Policy Statement 2.5, please ensure all contract specific incident related requirements are met.
Official CMMC website
UW Office of Research