Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program designed to validate that private companies working with the military have strong cybersecurity. The DoD is moving to a "verify before you trust" model to stop foreign adversaries from stealing intellectual property and national security data from the defense supply chain.

The program works in a tiered system based on the type of data you handle:

• Level 1 (Introductory): For companies handling Federal Contract Information (FCI). This involves standard practices like passwords and antivirus software.
• Level 2 (Advanced): For companies handling Controlled Unclassified Information (CUI). This requires strict protocols (NIST standards) and an audit by a CMMC authorized private third party (C3PAO).
• Level 3 (Expert): For a small subset of companies working on critical programs. This assessment is conducted directly by government officials. (Note: If you’re unclear what level you are, reach out and we can help you figure out your needs.)

For most companies, the answer is no. The biggest change under CMMC is the move away from the "honor system" where you could simply sign a paper claiming you followed the rules. While Level 1 still allows for self-assessment, Level 2 and Level 3 now require formal audits by outside assessors to prove compliance.

You should prepare now. As of late 2025, the phased rollout has begun, and these requirements are already appearing in contracts. CMMC is a "go/no-go" requirement; without the certification in hand, you cannot be awarded the contract. You must determine your level and prepare for assessment to ensure you can win future bids.

Yes. If you share Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with subcontractors to fulfill a contract, they must also achieve the appropriate CMMC level. The program is designed to secure the entire supply chain, meaning you are responsible for ensuring your partners and vendors meet these requirements before sharing data with them.

It varies by level. Level 1 requires an annual self-assessment and affirmation. Level 2 and Level 3 certifications are generally valid for three years. However, you are still required to submit an "annual affirmation" in the Supplier Performance Risk System (SPRS) to verify that your security remains compliant during the years between your full assessments.

It depends on the severity. For Level 1, you must pass 100% of the requirements immediately; no exceptions are allowed. For Level 2 and 3, if you miss certain non-critical requirements, you may be granted "Conditional" status. This allows you to continue working, but you must create a Plan of Action and Milestones (POA&M) and fix the issues within 180 days. If you do not close out these issues within that timeframe, your conditional certification will expire.