The Cybersecurity Maturity Model Certification: Protecting the Warfighter by Securing the DIB Supply Chain
Created June 2025
Threats to national security can surface at any level in the Department of Defense (DoD) supply chain. The defense industrial base (DIB) is a frequent target of industrial espionage, nation-state actors, and advanced persistent threats (APT). DIB organizations provide essential research, engineering, development, acquisition, delivery, sustainment, and operation of military systems. To strengthen the cybersecurity posture within the DIB supply chain, the DoD turned to Carnegie Mellon University’s Software Engineering Institute (SEI) to co-develop the Cybersecurity Maturity Model Certification (CMMC) program with the Johns Hopkins University Applied Physics Lab.
Work With Us
Security Is Foundational to the DoD Warfighter
A cyber attack within the DIB supply chain threatens both its and the warfighter’s security. CMMC is a certification program that improves the security and cyber hygiene of the DIB supply chain. It ensures compliance and accountability with DoD cybersecurity requirements. Based on a clear set of measures aligned with robust National Institute of Standards and Technology (NIST) guidelines and best practices, CMMC specifications help safeguard intellectual property (IP) and controlled unclassified information (CUI) throughout the DIB.
CMMC safeguards sensitive information through the enforcement of cyber requirements derived from NIST SP 800-171 and -172.

Our Expertise in Process Maturity, Resilience, and Cybersecurity
The unique position of the SEI led the DoD to select us as co‑developer of the CMMC program. As a longtime federally funded research and development center (FFRDC), the SEI is ideally positioned at the confluence of government, industry, and academia. This gives us a unique perspective into the commercial defense ecosystem, government acquisition and compliance requirements, and technology research. Add to this our long history of capability maturity modeling—beginning with the Capability Maturity Model (CMM) and continuing through the CERT Resilience Management Model (CERT-RMM)—and the SEI has singular insights and experience related to supply chain risk assessment methodologies.
The SEI is a national resource for modern software development methods, as well as for research on cybersecurity, vulnerabilities, secure coding, cyber risk and resilience, insider threat, cybersecurity monitoring and response, cyber workforce development, and artificial intelligence (AI) incident response.
Since the inception of CMMC in 2019, the SEI has engaged directly with stakeholders to develop a model that balances the needs of the DoD with expected capabilities of DIB contractors. The SEI has worked closely with the DoD to
- establish the CMMC structure based on proven cybersecurity practices.
- develop the certification and assessment standards.
- create training for an estimated 160,000 contracting officers, program managers, and others in the defense acquisition workforce.
The program’s full implementation—when the DoD includes the CMMC Program requirements in all applicable solicitations and contracts—will transform the DIB by better protecting sensitive DoD information from adversaries. It will create a baseline for DIB contractors to implement cybersecurity requirements according to a clear set of measures applicable throughout the federal space.

Work with the SEI CMMC Team
The SEI CERT team continues our work on the CMMC Program. Contact the SEI CERT Division to learn how we can partner with you to help protect your organization and improve its cybersecurity.
Learn More
Cybersecurity Maturity Model Certification (CMMC)
•Fact Sheet
The DoD engaged with the SEI as co-developer of the CMMC because of the SEI’s unique history of contributions to the DoD.
Learn More