skip to Main Content
Cybersecurity Maturity Model Certification (CMMC)


Version 1.0 of the CMMC framework will be made available in January 2020 to support training requirements. In June 2020, the Defense Industrial Base (DIB) should begin to see the CMMC requirements as part of Requests for Information (RFI). Information posted is tentative and subject to change until the official CMMC framework release in January 2020.

Cybersecurity Maturity Model Certification (CMMC)

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification”. It is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. 

The goal of the Cybersecurity Maturity Model Certification is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.  In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

CMMC Levels

CMMC Levels chart

The CMMC will encompass multiple maturity levels (1 – 5) that ranges from “basic cyber hygiene” to “advanced / progressive”. The processes and practices in each level are cumulative, with each one built upon the last.  Required CMMC levels will be listed in RFP sections L and M and used as a “go / no go decision” for government contracts.  The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).

Unlike the NIST 800-171 framework, there will be no self-certification for the Cybersecurity Maturity Model Certification.  Instead, a third-party CMMC auditor will be required.

The cost of CMMC certification will be considered an allowable, reimbursable cost and will not be prohibitive. At this time, there is no set cost to become CMMC certified, however there may be a variance of cost depending on the level required.  For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.  Certifications will be made public, but details regarding specific findings will not be publicly accessible.

What do we know for sure about the CMMC at this time?

Because the CMMC is in draft form, it is still being revised.  There is NO company out there that can truly start to make a customer “CMMC compliant” and assist with the CMMC assessment process until after the final revision – 1.0 – comes out in January of 2020. 

What we know is that the DoD will also be helping small companies meet these cybersecurity requirements, and make cybersecurity an “allowable cost”.

We understand the challenge to small companies. We are not going to put small companies out of business. We need them. We will find innovative ways to help make them cyber secure with the help of our large primes as well.

Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment

I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost.

Katie Arrington, special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD

What we also know is that based on statements from the DoD as well as what draft revisions have indicated, CMMC Level 3 will be closely aligned with the 110 controls NIST 800-171 revision 1, along with a number of additional controls added.

NIST 800-171 was to be implemented by DoD contractors by December 31, 2017.  However, many are still behind the curve and the first step to CMMC for many government contractors will be the full implementation of NIST 800-171.

Stronghold Cyber Security has extensive experience working with compliance frameworks, particularly NIST 800-171, and can help your business prepare for the upcoming CMMC audit and certification process.  Once the framework is finalized, Stronghold Cyber Security will be offering CMMC consulting and we can virtually service companies anywhere in the country.

To find out how we can assist your company with the upcoming CMMC compliance requirements, please call us at 1-888-277-8320, email or fill out the form on the right to get started!

Cybersecurity Maturity Model Certification (CMMC)

Everything NIST compliant DoD Contractors Need To Know Now That CMMC Version 1.0 Is Out!

Everything NIST compliant DoD Contractors Need To Know Now That CMMC Version 1.0 Is Out!…

read more
Cybersecurity Maturity Model Certification - CMMC

Everything you need to know about the Cybersecurity Maturity Model Certification (CMMC)

What is the Cybersecurity Maturity Model Certification (CMMC)?   CMMC is an acronym that stands…

read more
Federal Computer Week

Federal Computer Week sources Stronghold Cyber Security white paper for article on draft NIST 800-171B

Stronghold Cyber Security CEO Jason McNew was recently quoted by Federal Computer Week (FCW) for…

read more
Do you need assistance with becoming CMMC compliant? Reach out to us, we can help!


    Contractors will need to start preparing for the CMMC which is set to release in January 2020.  Those who have already implemented NIST 800-171 are ahead of the curve.

    What are you waiting for? Give us a call to see how Stronghold Cyber Security can help your company with the upcoming CMMC compliance requirements! 1-888-277-8320
    Back To Top