What is CMMC?

The Cybersecurity Maturity Model Certification Explained

The Cybersecurity Maturity Model Certification (CMMC) is a program mandated by the Department of Defense (DoD) to verify the cybersecurity of its supply chain. All contractors and sub-contractors in the DoD’s supply chain, except for commercial-off-the-shelf product providers, will have to meet specific compliance requirements.  Some will need a certification, whereas some will need to provide self-attestation.

CMMC winsor simple secure sincere

The Defense Industrial Base (DIB) is often the target of complex cyberattacks. Protecting intellectual property and national security has become a point of extreme focus for the DoD. Maintaining this security throughout not only the primary DoD contracts but also all the way down the supply chain is why CMMC has become a necessary step.


CMMC Model 2.0, which was announced in November of 2021, was designed to achieve these primary goals:

  • Safeguard sensitive information to enable and protect the warfighter.
  • Enforce DIB cybersecurity standards to meet evolving threats.
  • Ensure accountability while minimizing barriers to compliance with DoD requirements.
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience.
  • Maintain public trust though high professional and ethical standards.


Who must obtain CMMC?

The type of data you handle in your contracts determines the level of certification you need. If you deal with Controlled Unclassified Information (CUI), certification is necessary. For Federal Contract Information (FCI), self-attestation suffices. The certification level depends on the data you handle. If you’re already compliant with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC) serves as the verification process for your compliance, offering different levels of certification based on your cybersecurity maturity. However, if you only sell Commercial off the Shelf (COTS) products to the Department of Defense (DoD) without dealing with FCI or CUI, CMMC certification isn’t needed.


How do you achieve certification?

The DoD has streamlined certification to a three-tiered model. Level one will require an annual self-assessment and an annual affirmation, level two will require triennial third-party assessments for critical national security information and for select programs an annual self-assessment. Finally, level three will require triennial government-led assessments. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Stay a while. We have plenty to read.

Defense Contractors, Sub-Contractors and CMMC Compliance

  Cybersecurity has become a top priority for governments, businesses, and individuals alike. New cyber-attacks are launched daily across all sectors, public and private. Cybersecurity has become a necessity for defense contractors, tasked with handling sensitive...

read more

CUI- Controlled Unclassified Information and CMMC

Understanding CUI: A Vital Component of Information Security The Department of Defense (DoD) defines CUI as “Government-created or owned Unclassified information that allows for, or requires, safeguarding and dissemination controls in accordance with laws,...

read more

Department of Defense and CMMC

The Department of Defense (DoD) and CMMC Digital vulnerabilities have made robust cybersecurity measures indispensable, especially within sectors handling sensitive information critical to national security. Recognizing this imperative, the Department of Defense (DoD)...

read more

CMMC Checklist

CMMC 2.0 Checklist The Department of Defense has mandated contractors and subcontractors who handle Controlled Unclassified Information achieve Cybersecurity Maturity Model Certification (CMMC). Navigating the process of readiness and achieving DOD cybersecurity...

read more