CMMC stands for Cybersecurity Maturity Model Certification. Since the Department of Defense (DoD) announced the CMMC requirement, Winsor has taken the steps to implement the requirements for this certification with our clients and inform businesses of possible risks. The goal of this certification is to comply to the DoD’s standards and to reduce cyber threats for your company. Along with reducing the threats, the CMMC is intended to ensure that the cybersecurity practices and processes are in place to protect controlled unclassified information (CUI).



If your company works with the DoD, it has to be CMMC certified. The majority of the estimated 300,000 businesses requiring the certification fall into the small and mid-size business range. You must also comply if your company is working directly or indirectly with the DoD as a Prime or Subcontractor.


Your company has to hit specific levels of compliance within the CMMC requirements for certain contracts through the DoD. By level 3, ongoing security programs and ongoing support is incorporated.


We will perform a thorough Assessment based on CMMC requirements. We then will prepare a SSP and POAM to comply with basic requirements. Based on findings in the POAM, we will assist with remediation. Lastly, we will assist with ongoing cybersecurity monitoring and incident response efforts.

3 Steps to Achieve Your CMMC

No matter the size of your business, whether you are a Prime or a Subcontractor, you will need to comply with the CMMC requirements. Winsor will perform a thorough cybersecurity assessment based on the NIST framework and the controls set forth in CMMC. Then we will assist or perform remediation on the findings from the assessment. In order to stay compliant, we must then continue to adhere to the CMMC requirements.


We perform a detailed assessment of your current network and compare this with the cyber security controls required in NIST SP 800-171. We then prepare an SSP and POAM so that you can provide documented evidence to the DoD or your Prime that you’re on your way towards compliance. This step then serves as the basis for creation of the remediation plan.


In this step the items called out in the POAM need to be addressed. Depending on the current state of your IT systems, this can be as simple as implementing multi-factor authentication and security awareness training or as complex as refreshing an entire aging infrastructure.

Ongoing Compliance

Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain compliant. If a cyber incident occurs you must notify the DoD through the DIBNet Portal ( within 72 hours. You must also constantly assess and maintain the NIST 800-171 controls over time as systems change and fall out of alignment.

How does it affect government contracts?

The government determines the appropriate tier for the contracts they administer. A goal for having this is to make cybersecurity an ‘‘allowable cost’’ for DoD contracts. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.


Three consequences of non-compliance are certain: The federal government will terminate contracts over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements. A company stating that it is compliant when it is not would be engaging in criminal fraud. Failing to comply can also constitute breach of contract, for not maintaining a specific code of conduct.

Release Dates

There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet. Access Control Audit and Accountability Awareness and Training Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Physical Protection Personnel Security Risk Assessment Security Assessment System and Communications Protection System and Information Integrity