Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) builds upon NIST 800-171 and will be the standard on DoD RFIs and RFPs beginning in mid-2020. CMMC is required for all vendors who work with the Department of Defense or other parts of the government. This means that all DoD Contractors will need to become CMMC Certified by passing a CMMC Audit to verify they have met the appropriate level of cybersecurity for their business. This will be a requirement for any organization that wants to hold contracts with the Department of Defense. This includes both Prime and Subcontractors. CMMC does encompass a majority of the regulations of NIST, but it has additional controls as well.

NIST & CMMC Differences

There are a few differences between NIST and CMMC, however, a majority of the controls remain the same. With CMMC there are 33 additional controls in place. The biggest difference is that CMMC does not allow for a self-certification. Instead, CMMC requires an audit from a 3rd party approved auditor to gain certification.

5 levels of CMMC

5 Levels of Certification

With CMMC, every company must be CMMC certified prior to placing a bid on specific contracts. There are five levels of certification for CMMC that will better reflect the type of cybersecurity that a contractor will need to attain a particular contract.

Benefits of CMMC

The Cybersecurity Maturity Model Certification (CMMC) will be required for your business to stay working with the government!


To bid on a contract in the future, you first need to see what CMMC level is required. Then, the RFI is posted including the required CMMC level for bidding. The RFI may contain multiple levels to account for subcontracting flow-down. The RFP is then released and contractors submit proposals including audited CMMC level of prime and subcontractors. The final step which results in receiving the bid or not is approval from the contracting officer. The contracting officer verifies the CMMC level status and rejects all proposals not meeting the minimum level.

The level of CMMC needed for a particular contract will be stated in the Request for Proposals in the L & M sections. The Department of Defense will see the results of your audit but specific results will not be made public.

Work with a CMMC Consultant

For many government contractors, the best way to meet the CMMC cybersecurity standards is to outsource the task to a Managed Security Service Provider (MSSP). Keep in mind that DoD contractors are required certification to hold any contracts with the Department of Defense so it is important to choose an MSSP you can trust. By outsourcing your security framework to an experienced MSSP, you will ultimately be more efficient and you can focus on what you do best with less downtime.

Need CMMC Compliance? We Can Help!