Cybersecurity Maturity Model Certification (CMMC) is the new unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).

This new CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. Roughly 300,000 Department of Defense contractors make up the DIB. These contractors must all be CMMC-certified by September 30, 2025.

  • CMMC is a new mandate for implementing cybersecurity standards across the DIB.

  • The certificate allows organizations to do business with DoD and to bid on DoD contracts.

  • By 2025 all DoD suppliers need CMMC Certification to continue to bid for contracts.

  • The standard is overseen by the CMMC Accreditation Body (CMMC-AB).

On November 4, 2021 the Department of Defense unveiled an update to the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.

As a nation we must protect the supply chain of 300,000 companies globally.

Department of Defense CMMC Model

The DoD created the CMMC model as a cybersecurity standard for the DIB. CMMC assessments initially occurred across five levels of maturity, with level 1 requiring the most basic cybersecurity and level 5 requiring the most advanced.

With CMMC 2.0, the DoD is making changes to the CMMC standards and collapsing the model into three levels, down from the previous five. CMMC 2.0 now becomes the DoD’s methodology for holding its supply chain accountable to the implementation of the FAR 52.204-21 and DFARS 252.204-7012 clauses, which means that it will replace CMMC 1.0. The overarching goal of the model remains the same, however: protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To simplify the assessment process, the CMMC model has been reduced from five tiers to three:

"CMMC Model 1.0"

Contractors can begin by identifying which level their organization falls under:

  • Level 1 (Foundational) – Nothing has really changed with this level in the newer model. If you handle FCI but not CUI, you fall into a Level 1. These organizations are expected to implement the Federal Acquisition Regulation’s 17 most basic cybersecurity controls. ALL Federal contractors are required to implement these 17 basic safeguards, which focus for instance on physical protection and access control. Although this is the lowest level, implementing these controls is not an overnight process, so contractors should remain diligent when doing so.
  • Level 2 (Advanced) – Formerly Level 2/3. If your business is in the manufacturing sector, and/or provides parts and services for weapons, and it is very likely that your small business will fall under this category
  • Level 3 (Expert) – Formerly Level 4/5. Large prime contractors and those of us that work on super critical national security programs that are significant targets of nation-state adversaries and any Advanced Persistent Threat (APT) will have to focus on Level 3. These organizations handle CUI, but they also likely handle secret and, potentially, top-secret information.

See CMMC Model and Assessment Guides

People in a meeting

Compliance with the CMMC

Contractors who do not comply with the new certifications cannot apply for future defense funding and could face legal action if they knowingly submit false cybersecurity reports.

CMMC certification will soon be a minimum requirement to be eligible for DoD contract awards.

Who must comply with CMMC?

These contractors must all be CMMC-certified by September 30, 2025.

  • All DoD contractors

  • All DoD subcontractors

  • All suppliers at all tiers along the supply chain

  • DoD small businesses suppliers

  • Commercial item suppliers who process, handle or store controlled unclassified information

  • Foreign suppliers

  • All DoD contractor team members that handle Controlled Unclassified Information (CUI) such as IT Managed Service Providers

Top of a city

Personal Certifications for CMMC

  • Authorized to participate as an assessment team member under the supervision of a Certified CMMC Assessor
  • Eligible to become a Certified CMMC Assessor
  • Valuable credential as an employee with the training to understand the requirements of CMMC for a DoD supplier
  • Authorized to use the Certified CMMC Professional logo
  • Listed in the CMMC-AB Marketplace

  • Credentialed to conduct CMMC ML-1 assessments
  • Authorized to supervise Certified CMMC Professionals in the conduct of ML-1 assessments
  • After completing 3 assessments
    • Authorized to use the CCA-1 logo
    • Listed in the CMMC-AB Marketplace

  • Credentialed to conduct CMMC-AB ML-1, ML-2, and ML-3 assessments
  • Authorized to supervise Certified CMMC Professionals and CCA-1 in the conduct of ML-1, ML-2, and ML-3 assessments
  • After completing 3 assessments
    • Authorized to use the CCA-3 logo
    • Listed in the CMMC-AB Marketplace
  • After completing 15 assessments
    • Authorized to apply for the CCA-5 training and credential

  • Credentialed to conduct CMMC assessment at all maturity levels
  • Authorized to supervise Certified CMMC Professionals in the conduct of any maturity level assessments
  • Authorized to use the CCA-5 logo
  • Listed in the CMMC-AB Marketplace

Enroll for the Certified CMMC Professional (CCP) Certification. Be compliant with the new regulations by learning from the experts.