CMMC Model

CMMC Maturity Explained

Omer Aslim selfie
By: Omer Kaan Aslim
June 08, 2020
In this post we explain what CMMC maturity is and how it relates to the five CMMC levels.

A critical part of the new CMMC model released by the U.S. Department of Defense is process “maturity”. For contractors with a CMMC requirement of level 2 or higher, simply performing the mandated CMMC security practices will not be sufficient.

What is maturity?

Maturity refers to the “institutionalization” of a CMMC practice. There are several factors that impact maturity. Policy documentation, plans to implement CMMC practices, the review of practices to gauge effectiveness, practice stardaditzation, and optimization all improve a process’s maturity.

How does maturity relate to CMMC levels?

Each CMMC practice can be mature at five levels. Level one maturity is to simply “perform” a practice. Level two maturity is perform the practice and document a policy or standard operating procedure for it. Level three maturity is to perform the practice, document it, and create a plan that details how the practice will be implemented throughout your information system. Level four maturity is to perform the practice, document it, plan it, and review it for effectiveness. Level five maturity is to perform the practice, document it, plan it, review it for effectiveness, standardize it across your organization, and to optimize it.
CUI Levels

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance