Get Support
Free Discovery Session

To ensure that all contractors observe appropriate levels of cybersecurity controls, the Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC). Mandatory for all DoD contractors, the certification comes at a time when threat attempts on DoD systems are at an all-time high, with hundreds of thousands of probes every day.

CMMC requirements are robust, and all companies that do business with the DoD must implement this key certification or risk losing contracts. With rolling deadlines beginning in January 2021, now is the time to start preparing.

This guide covers everything you need to know about CMMC and explains how to start the certification process now, so you’ll be ahead of the game later.


What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data, including Confidential Unclassified Information (CUI) and Federal Contract Information. 

Created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), CMMC is a consolidated cybersecurity standard that’s mandatory for everyone doing business with the DoD. It brings together existing cybersecurity control requirements, such as ISO 27001, ISO 27032, NIST SP 800-171, and NIST SP 800-53, to create more detailed and coordinated cybersecurity standards. 

Unlike previous security standards that only called for self-verification in order to achieve compliance, CMMC requires a third-party assessment from a certified auditor.

CMMC for Early Adopters

CMMC Is Coming. Are You Ready?
Learn Everything You Need to Know

Watch Now ›


Why Is CMMC Important?

In 2015, the Department of Defense (DoD) published the Defense Federal Acquisition Regulation Supplement (DFARS) to push private contractors to maintain cybersecurity standards according to the requirements the National Institute of Standards and Technology (NIST) outlined in NIST SP 800-171.

Created to ensure the protection of Confidential Unclassified Information (CUI), the standards outlined in DFARS and NIST 800-171 gave DoD contractors until December 31, 2017 to meet the requirements necessary to be compliant or risk losing DoD contracts. 

To be classified as compliant, contractors merely had to attest to meeting the requirements or being in the process of satisfying them.

Unfortunately, self-verification was inadequate and didn’t provide a level of security that could consistently safeguard sensitive information. While some contractors complied with the requirement, others failed to meet the standards. 

As a result, U.S. adversaries have been able to develop military equipment based on stolen data. For instance, the Chinese J-20 and J-31 stealth fighter jets suspiciously resemble the American F-35. According to the Pentagon, China may have accessed the F-35 design after an information breach in 2009.

Verified Compliance

Compliance without accreditation doesn’t guarantee absolute security. After reviewing the NIST security controls, the DoD decided they don’t sufficiently cover security loopholes, leaving contractors susceptible to threats from malicious actors. 

DoD Network

CMMC was devised to help:

  1. Eliminate cyber vulnerabilities within the supply chain by verifying DoD contractors have appropriate cybersecurity controls in place via mandatory certification. 
  2. Protect CUI residing in the networks of DoD vendors.


Third-Party Audits

Third-Party Audits

To give the new standards teeth, compliance will not be assessed through self-verification, but instead will be handled by third-party audit.


Required, Not an Option

Furthermore, all new DoD contract RFPs and RFIs will include CMMC compliance as a requirement. Companies that are not CMMC compliant will automatically be disqualified from new contract opportunities.

In addition, certification will not be one and done. It will be ongoing, and CMMC certification will have to be renewed every three years.


The CMMC Framework and Requirements

Released in January 2020, version 1.0 of the CMMC lays out the framework. It includes 17 domains that are based on cybersecurity best practices. Each domain is broken down into practices and processes that are mapped across five maturity levels. Within each domain, the practices are aligned to a set of capabilities. 

CMMC Framework

The 17 CMMC Domains

The CMMC model consists of 17 domains, 14 of which are derived from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171, and three additional domains.

  1. Access Control (AC)
  2. Identification and Authentication (IA)
  3. Physical Protection (PE)
  4. Asset Management (AM)
  5. Incident Response (IR)
  6. Recovery (RE)
  7. Audit and Accountability (AU)
  8. Maintenance (MA)
  9. Risk Management (RM)
  10. Awareness and Training (AT)
  11. Media Protection (MP)
  12. Security Assessment (CA)
  13. Configuration Management (CM)
  14. Personnel Security (PS)
  15. Situational Awareness (SA)
  16. System and Communications Protection (SC)
  17. System and Information Integrity (SI)

5 CMMC Levels: Processes and Practices

The CMMC acknowledges that not all information shares the same levels of sensitivity, and not all contact participants have the same clearance levels. Because of this, the Cybersecurity Maturity Model Certification measures processes and practices across five maturity levels.

Level 1 Performed Basic Cyber Hygiene
Level 2 Documented Intermediate Cyber Hygiene
Level 3 Managed Good Cyber Hygiene
Level 4 Reviews Proactive
Level 5 Optimizing Advanced / Progressive

The achievement of higher CMMC levels enhances the ability of an organization to protect CUI. For Levels 4-5, it also reduces the risk of advanced persistent threats (APTs), which are often executed via multiple incursions, including cyber, physical, and deception.

Here is a synopsis of the five CMMC levels and their respective requirements:

Level 1

Basic Cyber Hygiene: Includes the basic cybersecurity processes performed by all companies. To get this level of certification, you must implement 17 NIST SP 800-171 Rev2 controls.

Level 2

Intermediate Cyber Hygiene: Entails the universally accepted best cybersecurity practices that are documented. To get this level of certification, you must implement another 46 NIST SP 800-171 Rev2 controls.

Level 3

Good Cyber Hygiene: Covers all managed NIST SP 800-171 Rev2 controls. You must implement the final 47 NIST SP 800-171 Rev2 controls to pass this audit.

Level 4

Proactive: Consists of all advanced and sophisticated cybersecurity processes that are reviewed, resourced, and enterprise-wise improved. To pass this level of audit, you must implement 26 NIST SP 800-171 Rev B controls.

Level 5

Advanced / Progressive: Entails the highly advanced cybersecurity practices that are optimized and still under continuous enterprise improvement. As a DoD contractor, you must implement the final four NIST SP 800-171 Rev B controls to pass this level of audit.

Types of Work:

  • Antivirus
  • FAR requirements
  • Ad-hoc incident response

Types of Work:

  • Awareness and training
  • Risk management
  • Security continuity
  • Back-ups

Types of Work:

  • Compliance with all NIST SP 800-171 requirements + 20 controls
  • Share threat information with key stakeholders
  • Multi-factor authentication (MFA)

Types of Work:

  • Network segmentation
  • Detonation chambers
  • Mobile device inclusion
  • Use of DLP technologies
  • Supply chain risk consideration
  • Threat hunting

Types of Work:

  • 24/7 SOC operation
  • Device authentication
  • Cyber maneuver operations
  • Organizational custom protections implementation
  • Real-time asset tracking

Process Maturity:

Process Maturity:
Standard operating procedures, policies, and plans are established for all practices.

Process Maturity:
Activities are reviewed for adherence to policy and procedures and adequately resourced.

Process Maturity:
Activities are reviewed for effectiveness and management is informed of any issues.

Process Maturity: 
Activities are standardized across all applicable organizational units and identified improvements are shared.

Levels 1 and 2 involve basic cyber hygiene that most companies usually implement. Level 3 corresponds to the DoD cybersecurity requirements outlined in DFARS Clause 252.204-7012, which follows NIST SP 800-171 with an additional 21 controls.

According to the government, the requirements for Levels 4 and 5 match the standards of NIST SP 800-171 Rev B. Most of the controls conform with information security measures in ordinary businesses, while some are unique to the Cybersecurity Maturity Model Certification.

CMMC Framework


Because CMMC is built on many of the same controls as NIST, it’s possible to jump to the conclusion that CMMC certification automatically provides NIST 800-171 compliance. However, it’s important to note that the two are different. 

While achieving CMMC Levels 3 through 5 certification satisfies all of the NIST 800-171 controls related to CUI, it’s important to note that Appendix E of 800-171 refers to 63 Non-Federal Organization (NFO) controls, that are tailored from NIST 800-53, and are basic controls that are expected to already be a part of any private organization’s security program.  Failing to have even these most basic controls in place means your are not in compliance.


Software Alone Isn't the Solution

40% of breaches caused by employee negligenceAlthough IT is the focus of a majority of the practices and processes outlined in CMMC, it addresses more than just technology. That’s because employee negligence causes more than 40% of breaches. In fact, a majority of cyber professionals label people as the weakest link in security.

It’s no surprise then that CMMC goes beyond IT to address areas like physical security, personnel security, and awareness and training in its standards. For that reason, you should be wary of any service provider that tries to sell you a 100% software solution. Comprehensive cybersecurity includes both your tech and your team.


Software Can’t Fix Everything

Many of the top causes of data breaches can be traced back to your team, not technology:

  1. Weak and stolen credentials/passwords
  2. Malware
  3. Social engineering (e.g., phishing)
  4. Too many permissions
  5. Insider threats
  6. Physical attacks
  7. Improper configuration, user error


Obtaining CMMC Certification

CMMC Accreditation BodyAll contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. The exact level at which you need to be certified to be awarded a contract will be specified in the RFP.

Although you do not have to be CMMC certified at the time of the RFP, you will need to be at the time the contract is awarded. That means you will have a window to start and complete certification, but how long that window is will vary from contract to contract. However, to avoid unforeseen delays and the risk of losing a contract, it’s best to not wait until the last minute.

To become CMMC certified, you’ll need to liaise with an accredited, independent third-party assessment organization through the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). You’ll specify your company’s level of cybersecurity maturity and schedule an evaluation.

CMMC assessors will be licensed through the CMMC-AB, but will be employed by a Certified Third-Party Assessment Organization (C3PAO).

Upon satisfying the security requirements for the requested tier, the assessing organization will grant you the appropriate certification. Your certification level will be available to the DoD via a database, but the findings of your cybersecurity audit will remain confidential.


Once you receive certification, DO NOT list your certification level to the public. This will open your organization up to cyber threats, as hackers will be easily able to identify your vulnerability level.


What Are the Benefits of Certification?

Because all new DoD contract RFPs and RFIs will require CMMC compliance, those contractors that are certified will have a competitive advantage. That will be especially true early on, with most contractors likely waiting until they absolutely have to be CMMC compliant before pursuing certification.

What does that mean in real terms? With DoD contracts running five years, putting in the work now to become certified could put you in the lead to land five years of recurring revenue – and positioning yourself to retain it – while the rest of the market plays catch up.

Beyond easily winning and maintaining DoD contracts, CMMC-compliant companies will be better positioned to:


Reduce their risk of data breaches, the cost for which averaged $3.62 million per incidence in 2017


Overcome the threats of nation-state actors, which made up 23% of all data breaches in 2019, up from 12% in 2018


Lower the risk of insider threats


Be deemed compliant with other regulations, such as NIST, ISO, HIPAA, FISMA, and SOX

CMMC: What You Need to Know

  • Starting in 2021, the federal government will require companies and individuals that conduct business with the DoD to get CMMC certified.
  • As the Cybersecurity Maturity Model Certification (CMMC) phases in across the board, all companies and individuals with DoD contracts must meet its requirements.
  • Unlike NIST, which measures compliance with a specific set of controls, CMMC will measure your cybersecurity processes and practices across five maturity levels.
  • The type of work you do and the information you handle will determine the level of certification required.
  • Every DoD contract will specify what level of certification is required. If you’re not certified at that level, you cannot be awarded the contract.
  • You will no longer be able to self-verify compliance; certified third-party assessment organizations (C3PAOs) will conduct evaluations.
  • The assessment of maturity levels will be done on a procurement basis.
  • A third-party auditor will conduct lower-level assessments, while government auditors will conduct higher-level assessments.
  • Software-only solutions will not be enough. CMMC will evaluate practices and processes related to physical security and personnel behavior.


Possible Impacts of CMMC

The Cybersecurity Maturity Model Certification represents a seismic shift for DoD contractors, and will have a significant impact on the industry and its practices. Here are three notable changes that are likely to happen:

1.  Cybersecurity Will Be Undebatable in DoD Procurement

CMMC has put cybersecurity at the forefront of contract evaluation, scrutiny, and oversight. Being certified at the appropriate level will be a critical factor for the DoD when obtaining goods and services from the industry supply chain.

The model will govern contractors and subcontractors that previously didn’t need to observe DoD cybersecurity standards, like companies not handling covered defense information (CDI). Going forward, all DoD suppliers will be subject to CMMC level 1-5 certification to do business with the DoD.

While the CMMC policy is strict, it will benefit contractors in three ways:

  • It will eliminate cases of multiple agencies carrying out security assessments on an entity at the same time.
  • Independent evaluations will unify security assessment standards, ensuring that every company’s cybersecurity is being reviewed in the same comprehensive way.
  • Neutral third-party audits won’t allow contractors to make deceptive or incorrect representations of their security hygiene. As a result, there will be fewer cases of legal rebuttal sparked by false claims.

2.  Some Companies Will Get Disqualified

Contractors will fall under five maturity categories, each with specific security obligations. Based on information sensitivity and the perceived cyber threat, the DoD will decide which maturity levels qualify for particular contracts.

Those companies that do not have the appropriate level of certification will be automatically disqualified from consideration.

This will help streamline the awarding of contracts and provide early adopters of CMMC with a decided advantage.

3.  Industry Advisors Will Emerge

The DoD will rely heavily on certified third-party auditing agencies to audit and assess contractors’ CMMC qualification. CMMC-AB, a nonprofit accreditation organization, will oversee C3PAOs responsible for offering CMMC credentials to businesses.

Over 300,000 companies operate in the DoD supply chain, which means they'll need a ramp-up period before the first phase of CMMC implementation in January 2021.

As a result, a new breed of information security consultants and advisors is emerging. The very best of these will leverage their compliance expertise to guide DoD contractors to successful certification by providing expert gap analysis, audit preparation, and ongoing support to ensure their IT systems remain secure and compliant.


Not Every MSSP Can Offer the Guidance You Need

Here Are 7 Things to Consider When Choosing a CMMC Consultant

Get My Tip Sheet ›


CMMC Audit Preparation

Each of the five CMMC levels requires the implementation of different NIST SP 800-171 Rev2 and NIST SP 800-171 Rev B controls. It’s the responsibility of each contractor to implement the necessary controls for the desired level of certification.

If you have implemented all of the NIST SP 800-171 Rev2 controls, then you’ll automatically pass the audit up to Level 2. If you’ve only adopted some, or none, of the controls, you can prepare for the Cybersecurity Maturity Model Certification by doing the following:

Do It Yourself

For those companies that have the internal resources, the Self-Assessment Handbook-NIST Handbook 162 from NIST is a good start. Because NIST 800-171 serves as a foundation for CMMC, meeting its standards will get you most of the way to a Level 3 CMMC certification.

However, because the book only covers NIST SP 800-171 Rev2, it’s only suitable for certification up to Level 2. Achieving Level 3 requires implementation of another 21 controls.

Outsourcing to a CMMC Consultant

If you don’t have the expertise or the resources to achieve the NIST SP 800-171 Rev2 or REV B requirements, you should outsource to an expert CMMC consultant. 

While there are many Managed Security Service Providers (MSSPs), at this point, not many have expertise in CMMC consulting, and fewer still will have experience going through the process.

Outsourcing saves you time and money, and it ensures that your company stays CMMC compliant. The key is finding an MSSP that can guide you through the certification process and help you maintain compliance going forward. Remember: When hiring a consultant, it’s still your responsibility to ensure you meet the necessary security standards.

When you engage with a consultant, they should guide you through several basic steps on the path to compliance.

Gap Analysis
The first step toward compliance is a gap analysis, which involves determining how far or close you are to meeting the minimum CMMC requirements. During a gap analysis, the MSSP will discover any ineffective system setup that doesn’t meet the criteria. This is achievable by taking a closer look at your network and procedures.

Some issues revealed during a gap analysis include:

  • Measures controlling information access
  • The training of information system administrators and managers
  • Data record storage
  • Implementation of security controls measures
  • Incident response plans in place

Understanding these shortfalls helps you identify what changes your company needs to undertake to meet the appropriate CMMC-level requirements.

Remediation Plan
Using the findings of the gap analysis, your MSSP will provide a remediation plan. Depending on the results, the method may be inexpensive and straightforward network fixes. Or it could require extensive network development to help you meet standard NIST cybersecurity requirements.

Ongoing Monitoring and Reporting
Once your network systems are CMMC-level compliant, your MSSP should have tools to continuously monitor your system for any security breaches or incidents.

As proof that you have implemented the necessary NIST SP 800-171 Rev 1 or REV B controls, the MSSP should provide you with documentation. You need to present this documentation to the CMMC auditors for them to certify you as a DoD contractor.


Final Thoughts

CMMC demands superior cybersecurity measures for contractors that wish to continue working with the Department of Defense. The journey will undoubtedly be bumpy for some suppliers, but the DoD is keen to cut ties with non-compliant parties in favor of those trusted to safeguard CUI.

The CMMC framework is still in development and likely will continue to be refined until and beyond its initial launch in January 2021. Contractors that wait on CMMC until the last minute will have to take immediate action or risk losing valuable revenue.

Meanwhile, contractors that stay ahead of the curve and get certified at the earliest possible date will have a leg up on the competition when the first CMMC-mandated contracts go to RFP.


Checklist: 8 CMMC Practices to Implement Now

Being CMMC certified will not only safeguard sensitive data, it will protect your ability to win DoD contracts. Jump-start your CMMC efforts with these eight practices:


  1. Conduct cybersecurity awareness and training
  2. Optimize your incidence response
  3. Analyze and communicate threat information
  4. Seek to become NIST SP 800-171 compliant
  5. Evaluate your supply chain risk
  6. Use two-factor authentication
  7. Use data-loss prevention technologies
  8. Carry out regular self-audits

Stay a Step Ahead of Threats... 
and the Competition
Find Out How to Get CMMC Certified as Quickly as Possible

Work With Us ›

Stay a Step Ahead of Threats and the Competition