Skip to content

The Cybersecurity Maturity Model Certification (CMMC) is a certification handled by the CMMC Accreditation Board (CMMC-AB). They work directly with the Department of Defense (DoD) to accredit organizations.

CMMC compliance is required for any defense contractors or other vendors that wish to or currently work with the Department of Defense (DoD). The ultimate goal of CMMC is to protect sensitive data created or possessed by the government or another organization on the government’s behalf. Such data is referred to as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

There are three levels of CMMC compliance, each building off the last. Level 1 refers to the ‘Foundational’ level, which requires 17 different practices headlined by an annual self-assessment. Level 2, or ‘Advanced’, is quite a step up, requiring 110 practices and controls aligned with the NIST (National Institute of Standards and Technology) SP 800-171 framework. Finally, Level 3, or ‘Expert’, requires 110+ practices and is the highest level of compliance. Additionally, levels 2 and 3 require triennial assessments. Level 3 is currently still in development but will be based on a subset of NIST SP 800-172 requirements.

Some of the general requirements include:

  • Vulnerability assessment and penetration testing
  • Network monitoring
  • Employee training
  • Cybersecurity risk assessments
  • Incident response planning and policy documentation

The level of compliance needed depends on the contract that is being worked on, but to qualify, an organization must at least be level 1 compliant as that is vital to ensuring FCI is properly handled. Being level 2 or 3 compliant allows for the handling of CUI, while not complying with CMMC results in the automatic disqualification of Department of Defense request for proposals (RFPs). This means that a contactor cannot work with the DoD without at least being level 1 compliant.

Becoming CMMC compliant can be a daunting task, especially for those aiming for compliance level 2 and 3. Many organizations are having a tough time becoming compliant, which is why some companies are registering with the CMMC-AB as Registered Provider Organizations (RPO). This certification proves that an organization is qualified to guide other firms through the rigorous requirements of CMMC to streamline their compliance journey.

What do you think of CMMC compliance? Let us know in the comments!

To learn more about Alliant Cybersecurity can help you become complaint, visit:

Thanks for reading!