Skip to main content

What we do

Cybersecurity Maturity Model Certification (CMMC)
What is CMMC?

CMMC is the Department of Defense (DoD) 2020 mandated certification program designed to protect national security by aligning how Defense contractors and subcontractors manage Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This new holistic approach in security standardization now requires a CMMC 3rd Party Assessment Organization (C3PAO) to audit your cybersecurity policies, procedures and security controls via the CMMC assessment. DoD recently released CMMC 2.0, replacing the original 5 level maturation assessment with a simplified 3 level process to certification. The new 3 level assessment was designed to enhance clarity on cybersecurity regulations and policies, narrow the audit focus to the most advanced cybersecurity measures of the organization, and increase DoD oversight on 3rd party assessments to better safeguard sensitive federal information. CMMC 2.0 release date is March 2023 and contracts go into effect in July 2023.

CMMC 2.0

There are 3 security levels a contractor can achieve, as illustrated in the graphic below. Each CMMC certification level has its own process, practices, and assessements procedures for DoD contractors. The number of security controls your company needs to implement depends on the maturity level you hope to achieve, which will be specified in your contract.
level 1.png


Level 1 requires organizations to perform basic cybersecurity practices such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI) and meet the basic safeguarding requirements described in 48 CFR 52,204-21. This level of basic protection allows organizations to reach certification through an annual self-assessment. As a result, C3PAOs do not assess process maturity for level 1.


Level 2 requires an organization to have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes. Assessment requirements differ based on critical or non-critical national security data. Organizations with prioritized acquisitions that handle critical security data must pass a higher level C3PAO assessment every 3 years, while non-prioritized non-critical national security data is subject to an annual self-assessment.


Level 3 requires an organization to reduce system vulnerability through standardized process implementation across the organization that detects and responds to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs). Level 3 applies to companies that handle CUI for DoD programs with the highest priority, includes all the security requirements from Level 2 plus additional NIST SP 800-172 and must pass government-led assessments every 3 years.

Let's talk
We would love to hear from you!