A critical part of the new CMMC model released by the U.S. Department of Defense is process “maturity”. For contractors with a CMMC requirement of level 2 or higher, simply performing the mandated CMMC security practices will not be sufficient.

Maturity refers to the “institutionalization” of a CMMC practice. There are several factors that impact maturity. Policy documentation, plans to implement CMMC practices, the review of practices to gauge effectiveness, practice stardaditzation, and optimization all improve a process’s maturity.

Each CMMC practice can be mature at five levels. Level one maturity is to simply “perform” a practice. Level two maturity is perform the practice and document a policy or standard operating procedure for it. Level three maturity is to perform the practice, document it, and create a plan that details how the practice will be implemented throughout your information system. Level four maturity is to perform the practice, document it, plan it, and review it for effectiveness. Level five maturity is to perform the practice, document it, plan it, review it for effectiveness, standardize it across your organization, and to optimize it.