Government Contractors: All About CMMC

Updated 09/04/2021


According to the Center for Strategic and International Studies and McAfee, the U.S. government is losing approximately $600 billion per year to cybercrime.

The United States Department of Defense is initiating the Cybersecurity Maturity Model Certification (CMMC) for organizations bidding or planning to bid on contracts in the Defense Industrial Base (DIB) sector to mitigate this pervasive problem.

The program was announced on January 30, 2020, and all companies dealing with DoD contracts will be expected to meet CMMC requirements by fiscal year 2026.


The CMMC implements a new standard for defense contractors to measure levels, or the maturity, of their cybersecurity environment.

The maturity level of an environment will help the DoD determine if an organization has the appropriate controls in place for the level of sensitive information the organization will be handling.

Although an organization has five years to meet the CMMC standards, it may take at least that long for an organization to bring its environment up to the level of maturity required, which is why it’s important to start planning now.****

Register Today!  Online Event: A Strategic and Cost Effective Approach to CMMC Compliance

Thursday, April 29th at 11 AM PST

17 Security Domains

CMMC consists of 171 practices across 17 information security domains that focus on Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within unclassified networks.

  1. Access Control: who has access to your systems internally and remotely
  2. Asset Management: identify, locate, and log inventory of assets
  3. Audit and Accountability: requires a process for tracking those who have access to CUI and performing audits of the logs to ensure accountability
  4. Awareness and Training: training programs for all personnel and security awareness activities
  5. Configuration Management: deals with measuring the current standing of the organization and establishing configuration baselines to determine the effectiveness of controls in place
  6. Identification and Authentication: ensures users have proper levels of access
  7. Incident Response: deals with organizations Incident Response plan and testing preparedness in the event of a cyberattack
  8. Maintenance: ensures a system is in place to maintain the operation of all systems
  9. Media Protection: media must be accessible and easy to identify, with protocols in place for media protection, sanitation, and transportation
  10. Personnel Security: proper screenings and background checks of personnel are required, and evidence that CUI is protected during employee turnover or transfer
  11. Physical Protection: what physical security is in place to protect company assets
  12. Recovery: backups of necessary data must be kept and logged to mitigate the loss of data
  13. Risk Management: running risk assessments of the organization as well as its vendors and vulnerability tests can identify and help evaluate risks that affect the company
  14. Security Assessment: a system security plan is needed, as well as the ability to manage controls and perform code reviews for the organization
  15. Situational Awareness: deals with threat monitoring systems
  16. System and Communications Protection: defines each system and communication channel's security requirements
  17. System and Information Integrity: businesses must identify and manage flaws, monitor their systems, implement email protections, etc.

Register Today!  Online Event: A Strategic and Cost Effective Approach to CMMC Compliance

Thursday, April 29th at 11 AM PST

CMMC Maturity Levels

Each organization will be required to undergo a third-party audit to determine its current level of controls. The CMMC model consists of five levels. Each level is cumulative and includes practices and policies as well as those specified in lower levels.

  1. Level 1 - Basic cyber hygiene - Certain everyday practices are required, such as implementing antivirus, keeping systems up to date, and using best password policies, but organization maturity is not addressed. The business may be provided with FCI, information that is not intended for the public but can be used to develop or deliver a product or service to the government.

  2. Level 2 - Intermediate cyber hygiene - Organizations are expected to develop and document standard operating procedures and plans to implement their cybersecurity program. Documentation and optimizing practices are a must. Companies at this level can also receive FCI.

  3. Level 3 - Good cyber hygiene and effective NIST SP 808-171 Rev 1 security requirements - This is the first level at which CUI can be acquired. Organizations should be procedurally mature enough to establish and maintain plans to demonstrate the management of practice implementation.

  4. Levels 4 and 5 - Substantial and proactive cybersecurity program - Businesses should be capable of adapting to changing tactics, techniques, and procedures. They are expected to inform management of issues and ensure implementation is streamlined across the organization.

The required level of “maturity” is determined by the level of sensitive information of the DoD information the organization will be working with, however, the level itself is set by the C3PAO who conducts the assessment and issues the actual certification.

What is a C3PAO?

A C3PAO is a Third-Party Assessment Organization that performs assessments and issues CMMC certificates.

The CMMC Accreditation Body (CMMC-AB) must authorize a C3PAO.

No company can self-certify.

A certification is valid for three years, and only the DoD will have access to assessment results.

The results of the audit will determine which defense contracts on which a company can bid or pursue.

As of February 10, 2021, no company has yet been accredited to perform a CMMC assessment and award the certification.

For now, compliance with the current standards will fall on the companies themselves.

The CMMC-AB estimates that by early summer 2021, a few assessors will receive accreditation to audit contractors.

The DoD has approximately 300,000 contracts that need the CMMC.

They are anticipating only about 15 to be CMMC approved in fiscal year 2021.

The CMMC-AB is however beginning to approve consultants and provisional assessors that can assist contractors with prep work.

It’s not a requirement for these consultants to receive a “registered practitioner” certification from the AB, but it will lend credibility when the time comes for an official accreditation. All DoD contracts are expected to have the CMMC by fiscal year 2026.

Consilien can help with the transition to CMMC compliance. Our four-step program is robust enough to begin the arduous task of complying and flexible enough to account for any changes as CMMC becomes standardized. Contact us today at 866-680-3388.