Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot. Learn more

Cybersecurity Maturation Model Certification 2.0: How Varonis Ensures Certification for Defense Contractors

Varonis can help you achieve compliance and implement the Cybersecurity Maturity Model Certification 2.0 (CMMC) program to safeguard cybersecurity across the government’s DIB.
Shane Walsh
6 min read
Last updated October 5, 2023
cybersecurity maturation model certification

The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC) program to safeguard cybersecurity across the government’s Defense Industrial Base (DIB), the sector responsible for military weapons systems, subsystems, and components or parts.

Announced in November 2021, CMMC 2.0 requirements are expected to be included in all new contracts by October 2025.

This blog post will delve into the concept of the maturity model in the context of cybersecurity, key figures of the DIB, the anatomy of CMMC levels, and how Varonis can help your org achieve compliance.

What is a maturity model?

Maturity models are a collection of best practices, which progress along a scale from lower levels of adoption or “maturity” to higher levels of aptitude and certification.

Certifying to a maturity model means that a company or organization has committed itself to improving its processes and practices to a sustained high level of performance.

What is CMMC?

Cybersecurity Maturity Model Certification is a program initiated by the U.S. Department of Defense (DOD) to measure and standardize their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. CMMC 2.0 is a streamlined update to the original 2020 CMMC program.

At a high level, this framework is a collection of processes and inputs from existing cybersecurity standards — such as NIST, FAR, and DFARS,1 — designed to protect DIB security.

At a tactical level, the goal of the program is to improve the security of federal contract information (FCI) and controlled unclassified information (CUI).

To whom does CMMC apply?

The certification is applicable to both “prime” contractors who engage directly with DOD, and to subcontractors who contract with those primes to provide the fulfillment and execution of contracts. Although some level of certification will be a requirement of every contract beginning in 2025, the DOD has indicated that they intend to issue contract opportunities at all levels of the maturity model, meaning there will be some number of requests issued that will require only a low level of certification and some that will require higher levels of certification.

Why does CMMC matter?

It’s estimated that cybercrime drains $10.5 trillion annually from the global GDP. Relying on the vast network of contractors to execute the DOD’s mission means that the Department of Defense is entrusting each contractor with critical data that increases the overall risk profile of the DIB. Accordingly, the DOD understands the burden and outsize proportion of risk that cybercrime puts on their base of subcontractors, many of which are small businesses and lack the resources of their larger, prime counterparts.

It's against this backdrop that the DOD has released the CMMC, to oversee the adoption of best practices in cybersecurity with a “defense in depth” strategy across its entire global contractor base.

Key CMMC 2.0 takeaways

The required certification:

  • Applies to DOD prime contractors and subcontractors
  • Applies to limited new contracts beginning this year and applies to all contracts beginning in 2025
  • Covers advancing levels of cybersecurity processes and practices, resulting in a certification “level”
  • Ensures contractors start with Level 1 and certify at each level all the way to the top (Level 3)
  • Demonstrates the need for a powerful tool (such as Varonis) for facilitating all levels of CMMC compliance

CMMC framework

The goal of the CMMC is to ensure the protection of two types of information from disclosure or unauthorized use:

  1. CUI, which requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended
  2. FCI (not intended for public release) provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public

CMMC 2.0 certification levels (summary)

CMMC 2.0 reduced the number of certification levels from five (in CMMC 1.0) to three. The three CMMC 2.0 levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.


Level 1 requires organizations to perform basic cybersecurity practices; you can certify at this level through an annual self-assessment.

Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. The documentation must also allow users to repeat these processes.

Assessment requirements for Level 2 compliance depend upon whether the CUI data handled is critical or non-critical to national security. Organizations with prioritized acquisitions that handle data critical to national security must pass a third-party assessment (3PAOs) every three years.

Organizations with non-prioritized acquisitions with data not deemed critical to national security must conduct an annual self-assessment.

The Level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats by requiring an organization to establish, maintain, and provide resources for a plan to manage the activities needed to implement its cybersecurity practices.

CMMC 2.0 Level 3 applies to companies that handle CUI for DOD programs with the highest priority. As of publication, the DOD has not released the specific security requirements.

CMMC 2.0 framework components

As a part of the efforts to simplify CMMC and align with NIST-800-171 and 800-172, CMMC 2.0 has only three parts: levels (as explained above), domains, and practices.


As contractors advance in their assessments in each of these components, an overall certification to a level is achieved.  

Level one is achieved by completing 17 practices across the CMMC domains.  

Level two is accomplished by completing 110 practices from the 17 domains and having this verified by a third-party assessment organization.  

Level three has yet to be formalized but will likely include all practices from each domain and verification by a third-party Assessment Organization.


There are 17 domains in the CMMC model. Each covers an individual area of essential cybersecurity functions taken from existing standards, including Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171. Each domain appears in one or more of the model’s levels. 


There are 113 practices that span the 17 domains. Think of practices as the individual tasks or efforts required by each category. 

How to become certified

The DOD has created the CMMC Accreditation Body — a nonprofit, independent organization to accredit third-party assessment organizations (3PAOs) and individual assessors. Details are forthcoming about the mechanics of certification, but the DOD plans to establish a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.

How Varonis ensures CMMC certification

Getting started with CMMC might seem like a daunting task, and the reality is that certification is simply too large of a program to be handled by one person or even one team within an organization. Nevertheless, certification will be a nonnegotiable requirement of DOD contractors going forward, and Varonis can help federal contractors comply.

The best place to start when beginning to operationalize CMMC is with domains. Remember, these are centers of excellence with tasks and management that must be performed and continuously optimized for organizations to achieve and advance their levels of certification. Recall also that the primary goal of CMMC is the protection of CUI and FCI.

The Varonis Data Security Platform can facilitate, execute, and automate many of the 113 practices required and their related processes within the CMMC model.

Domain CMMC 2.0 Practice Varonis product(s)
AC — Access Control 
  • Authorized Access Control
  • Transaction and Function Control
  • External Connections
  • Control CUI Flow
  • Separation of Duties
  • Least Privilege
  • Non-Privileged Account Use
  • Privileged Functions
  • Unsuccessful Logins
  • Session Termination
  • Control Remote Access
  • Wireless Access Authorization
  • Encrypt CUI on Mobile
Varonis Data Security Platform
AT — Awareness and Training 
  • Role-Based Risk Awareness 
  • Role-Based Training 
  • Conduct Training 
  • Insider Threat Awareness 
Professional Services
AU — Audit and Accountability 
  • System Auditing 
  • User Accountability 
  • Event Review 
  • Audit Failure Alerting 
  • Audit Correlation 
  • Reduction and Reporting 
  • Authoritative Time Source 
  • Audit Protection 
  • Audit Management 
Varonis Data Security Platform
CM — Configuration Management 
  • Security Configuration Enforcement 
  • System Change Management 
  • Security Impact Analysis 
  • Access Restrictions for Changes 
  • User Installed Software 
Varonis Data Security Platform
IA — Identification and Authentication 
  • Identification 
  • Authentication 
  • Replay Resistant Authentication 
  • Identifier Handling 
  • Password Complexity 
  • Cryptographically Protected Passwords 
Varonis Data Security Platform
IR — Incident Response 
  • Incident Handling  
  • Incident Reporting 
  • Incident Response Testing 
MA — Maintenance 
  • Equipment Sanitization 
Varonis Data Security Platform
MP — Media Protection 
  • Media Disposal 
  • Media Access 
  • Media Markings 
  • Media Accountability  
  • Portable Storage Encryption 
  • Protect Backups 
Varonis Data Security Platform
PS — Personnel Security 
  • Protect CUI During Personnel Actions 
Varonis Data Security Platform
PE — Physical Protection 
  • CUI for Alternate Work Sites 
Varonis Data Security Platform
RA — Risk Assessment 
  • Risk Assessments for PII 
  • Risk Assessments for CUI 
  • Vulnerability Remediation 

CA Security Assessment 
  • Security Control Assessment 
  • Plan of Action  
  • Security Control Mapping 
  • System Security Plan 
SC — System and Communications Protection 
  • Boundary Protection 
  • Role Separation 
  • Shared Resource Control 
  • Split Tunneling 
  • Data in Transit 
  • Connections Termination  
  • CUI Encryption 
  • Communications Authenticity 
  • Data at Rest 
Varonis Data Security Platform
SI — System and Information Integrity 
  • Flaw Remediation 
  • Malicious Code Protection 
  • Update Malicious Code Protection 
  • System and File Scanning 
  • Security Alerts and Advisories 
  • Monitor Communications for Attacks 
  • Identify Unauthorized Use 
Varonis Data Security Platform


The CMMC will impact each and every one of the 300,000-plus companies in the United States defense industrial base. Companies that are already familiar with and adhering to NIST, FAR, and DFARS will likely have a first-mover advantage in advancing through CMMC, but Varonis can accelerate any company’s CMMC with a powerful platform for compliance and security.

Contact the Varonis Federal team for a free Data Risk Assessment, and level up your CMMC.

Additional resources: 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Cybersecurity Maturity Model Certification (CMMC) Guide
Cybersecurity Maturity Model Certification (CMMC) is a standard for DoD contractors’ cybersecurity — we’ll cover what it is and how to achieve compliance
CISM vs. CISSP Certification: Which One is Best for You?
CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two to learn more.
What is CDM and How Does Varonis Help?
The Continuous Diagnostics and Mitigation (CDM) program is a United States government cybersecurity initiative led by the Department of Homeland Security (DHS). The Cybersecurity and Infrastructure Security Agency (CISA) leads...
What Certifications Should I Get for IT?
Elevate your IT knowledge and credentials by using our IT certification flowcharts to find the right certification for your experience level and interests.