For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Cybersecurity Maturity Model Certification (CMMC)

The U.S. Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC), a program designed to verify organizations within the Defense Industrial Base (DIB) have sufficient safeguards in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC certification will become a mandatory requirement for all entities, including academic institutions, seeking to do business and/or enter into a contract with the DoD. Any existing contracts with the DoD established prior to the implementation of CMMC will not be affected.

CMMC 2.0 is the current version of this program, consisting of three maturity levels each with a specific assessment type, as depicted below. DoD contracts will specify the level of certification required for contractors to possess to bid on and be awarded contract(s).

Recently, CMMC 2.0 was published in the Federal Register and is continuing through the final phases of the rulemaking process. Until the rule is finalized, the information on this page is subject to change.

CMMC Model 2.0 Levels


    What level of CMMC Certification is needed?

    An organization’s certification level is determined by the type and amount of FCI and/or CUI it possesses and/or creates. Level 1 certification will be required for all companies and institutions in contract with the DoD. Level 2 certification will be required for any contract handling CUI. At present, Drexel University plans to obtain a Level 2 certification.

    What is a "C3PAO"?

    A “C3PAO” or CMMC Third-Party Assessment Organization is an entity certified to provide consultative advice OR certifies assessments.

    To review a full list of CMMC terms, please visit the CyberAB’s Glossary.

    How does it affect Drexel?

    Meeting all CMMC requirements is important in order to remain eligible for DoD research contracts. Not being compliant may impact Drexel’s research status.

    Individuals or groups seeking to do business with the DoD should:

    • Review the Request for Information (RFI) and Request for Proposal (RFP) for the appropriate CMMC level.
    • Ensure the appropriate cybersecurity measures in place for the required CMMC level.
    • Possess the appropriate level of CMMC certification before accepting an award.
    • Ensure compliance with NIST 800-171, the NDAA 889 regulation, etc.

Additional Resources


Other resources:

Contact ‚Äčif you have any questions.