Phone No: (866) 222-7211




CMMC

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC), developed by the U.S. Department of Defense (DoD), is a new requirement for DoD contractors and subcontractors that requires third-party certification. A single standard used across all DoD contracts, CMMC is intended to ensure that appropriate cybersecurity practices and processes are in place to safeguard federal contract information (FCI) and controlled unclassified information (CUI) handled by defense contractors during the performance of DoD contracts. This certification framework builds upon existing requirements—such as NIST SP 800-171, NIST SP 800-53 and AIA NAS9933—and makes cybersecurity an “allowable cost” in DoD contracts. DoD Requests for Proposals (RFPs) will include the required CMMC level (1-5) appropriate for the risk profile of the work entailed, and contractors and subcontractors will need proof of certification at the specified level in order to bid. CMMC requirements have begun being included in select RFPs and will continue to roll out until full CMMC implementation in October 2025.

What are the CMMC levels and requirements?

The CMMC framework identifies five levels of certification that require the demonstration of specific practices and processes to achieve each level. The five levels of certification in CMMC build on the controls included in the prior level, progressing from a primary goal of safeguarding FCI (Level 1) to the protection of CUI (Level 3) and advanced persistent threats (Levels 4 and 5):

CMMC Levels

How should DoD contractors prepare for CMMC?

The time involved for your company to prepare for CMMC will depend on the size and complexity of your cybersecurity program, whether your environment already has an active and updated security program, and the CMMC level you are trying to attain. The first step is to gather the appropriate documentation (e.g., cybersecurity policies, standards and procedures; the System Security Plan (SSP); Plans of Action and Milestones (POA&Ms)) to prove you are incorporating the required practices and processes for the CMMC level you are seeking certification in. Without these artifacts, from the perspective of an auditor, you cannot prove your cybersecurity program is in place.

Our team can assist you through the 5 steps necessary to prepare you for your CMMC Audit:

Our compliance experts provide a roadmap to help your company affordably become CMMC compliant, preparing you and ensuring your cybersecurity practices are in place and documented in accordance with the framework.