Take the guesswork out of CMMC compliance
The official rollout of the Cybersecurity Maturity Model Certification (CMMC) is already here. If you want to land or maintain contracts with the Department of Defense, you’re likely feeling the pressure to move fast without making a costly mistake.
As a certified RPO (Registered Provider Organization) with 25 years of experience guiding companies to achieve detailed compliance frameworks, SecurityMetrics helps you through your first year of meeting CMMC demands, regardless of your contractor level.
With 25 years of experience helping businesses of all sizes meet compliance standards, our experts will guide you through each step so you can secure your DoD contracts.
Solutions by Contractor Level
Level 1 CMMC Certification – Zero-to-Compliant Guidance
Level 1 contractors perform a Self-Assessment that requires you to annually attest to your CMMC compliance.
As a Level 1 contractor handling FCI (Federal Contract Information), there’s a chance you’ve never had to comply with data security measures like these. It might feel like you’ve suddenly been asked to speak a foreign language.
- What do these acronyms mean?
- How do I maintain compliance?
- How do I report my Self-Assessment?
Questions like these can make CMMC compliance feel out of reach.
We offer Level 1 contractors the ability to begin CMMC with no previous understanding of data security frameworks, guiding you from start to finish, and reporting your compliance up the chain to the Prime contractor.
Trained CMMC Registered Practitioners (RP's) will assist you with not only understanding what is expected of you and how to meet the demands of CMMC, but also guide you through to reporting on the SPRS database, and reporting your compliance to the Prime contractors you do business with.
Level 2 CMMC Certification – Go Into Your CMMC Audit With Confidence
Level 2 contractors must complete an audit of 110 different CMMC controls.
As a Level 2 contractor handling CUI (Controlled Unclassified Information), no longer being able to self-assess likely feels like a mountain has just been placed on your path to landing government contracts.
Securing a C3PAO to make sure you’re compliant against 110 controls may feel daunting, but you don’t have to go into your audit ‘hoping for the best’.
CMMC Audit controls are based entirely on the 110 controls in the NIST SP 800-171 framework. Our audit team has extensive experience with NIST frameworks and can perform a CMMC Readiness Assessment to efficiently scope your CMMC environment and conduct a thorough Gap Analysis. This ensures you are prepared to confidently pass your audit.
Don’t risk failing your audit and delaying your ability to land DoD contracts. Know and fix your weaknesses before the audit even starts.
Prime Contractors (Flowdown Compliance Management) – A Simple Fix To The Trickiest Part of CMMC
A prime contractor must be able to verify that all of their sub-contractors are also CMMC compliant.
As a Prime Contractor, you have seen and understand the daunting Flowdown requirements, which means you will somehow have to collect and verify compliance information from hundreds or even thousands of sub contractors.
Instead of attempting to hunt down individual contractor statuses through endless email chains, SecurityMetrics helps you verify your Flowdown without all of the manual effort.
We offer Prime contractors a compliance management portal that makes it easy to track and verify the CMMC status of all sub-contractors, making what could be the most tedious part of your CMMC experience simple to organize and manage.
PCI program solutions for acquirers and ISOs
SecurityMetrics PCI programs are merchant-friendly, keeping them and you happy.
Feature
Basic
Plus
Pro
Advisor
Online Portal
Merchant PCI SAQ
SAQ Pre-Population
ASV scans (1/merch)
PCI Policy Template
24/7 Help Desk
24/7 Scan & SAQ Support
Partner+ Portal
Custom Email Campaigns
Assigned CSM
ASV scans (5/merch)
$100,000 Merchant Premium Service Warranty
Card Data Discovery
Mobile Device Scan
AI-Powered PCI Compliance (Spectre AI)
Anti-Malware Software
Get started on your PCI program, request a quote now.
Request a QuoteLite
Basic
Advanced
PCI for small businesses starting at
Price discounts available depending on merchant processor
- External Vulnerability Scan (1 IP)
- Online PCI Self Assessment Questionnaire (SAQ)
- Online compliance reporting portal
- Non-compliance notification
- Compliance reporting to merchant processor
- Compliance certificate
- PANscan® (Card discovery software for 1 machine)
- Service warranty (Up to $100,000 reimbursement in case of a breach)
- Security Awareness Training (1 seat)
*We discount our services for most merchants because of our relationship with their merchant processor.
Looking for Acquirer or PCI program pricing? Click here.
Basic
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 1 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 3 seats
- 5 Hour Technical Support (inbound tech support only)
Plus
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 3 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 15 seats
- Unlimited Support (specialized HIPAA support agents available for guidance on all HIPAA tools)
Pro
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 5 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 25 seats
- Unlimited Support (specialized HIPAA support agents available for guidance on all HIPAA tools)
Frequently Asked Questions
What exactly is CMMC and why is the DoD requiring it?
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program designed to validate that private companies working with the military have strong cybersecurity. The DoD is moving to a "verify before you trust" model to stop foreign adversaries from stealing intellectual property and national security data from the defense supply chain.
How do I know which CMMC Level applies to my company?
The program works in a tiered system based on the type of data you handle:
- Level 1 (Introductory): For companies handling Federal Contract Information (FCI). This involves standard practices like passwords and antivirus software.
- Level 2 (Advanced): For companies handling Controlled Unclassified Information (CUI). This requires strict protocols (NIST standards) and an audit by a CMMC authorized private third party (C3PAO).
- Level 3 (Expert): For a small subset of companies working on critical programs. This assessment is conducted directly by government officials. (Note: If you’re unclear what level you are, reach out and we can help you figure out your needs.)
Can we just self-certify like we used to in the past?
For most companies, the answer is no. The biggest change under CMMC is the move away from the "honor system" where you could simply sign a paper claiming you followed the rules. While Level 1 still allows for self-assessment, Level 2 and Level 3 now require formal audits by outside assessors to prove compliance.
Is this happening right now, or can I wait to prepare?
You should prepare now. As of late 2025, the phased rollout has begun, and these requirements are already appearing in contracts. CMMC is a "go/no-go" requirement; without the certification in hand, you cannot be awarded the contract. You must determine your level and prepare for assessment to ensure you can win future bids.
Does this requirement apply to my subcontractors?
Yes. If you share Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with subcontractors to fulfill a contract, they must also achieve the appropriate CMMC level. The program is designed to secure the entire supply chain, meaning you are responsible for ensuring your partners and vendors meet these requirements before sharing data with them.
How often do I need to be re-certified?
It varies by level. Level 1 requires an annual self-assessment and affirmation. Level 2 and Level 3 certifications are generally valid for three years. However, you are still required to submit an "annual affirmation" in the Supplier Performance Risk System (SPRS) to verify that your security remains compliant during the years between your full assessments.
What if I miss a few requirements during my audit? (POA&Ms)
It depends on the severity. For Level 1, you must pass 100% of the requirements immediately; no exceptions are allowed. For Level 2 and 3, if you miss certain non-critical requirements, you may be granted "Conditional" status. This allows you to continue working, but you must create a Plan of Action and Milestones (POA&M) and fix the issues within 180 days. If you do not close out these issues within that timeframe, your conditional certification will expire.
Resources
The following are related resources that we have prepared for you. Find more answers to your questions in our Learning Center.
.svg)