CMMC stands for Cybersecurity Maturity Model Certification and is a Department of Defense (DoD) program that mandates specific cybersecurity standards for its contractors, subcontractors, and any company or organization involved in the defense supply chain. The intent of these security standards is to ensure that sensitive government information—specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—is adequately protected and aligned with the information security requirements for Defense Industrial Base (DIB) partners.

The DoD introduced CMMC in 2020 as a third-party verification system to ensure companies can adequately demonstrate compliance through formal assessments. The program provides the DoD with increased assurance that contractors and subcontractors are meeting cybersecurity requirements. Prior to CMMC, contractors were allowed to self-certify security compliance with existing guidelines like NIST SP 800-171, developed by the National Institute of Standards and Technology (NIST).

However, as cyber threats grow more sophisticated, protecting national security requires more than voluntary compliance—it demands a structured security framework that all defense contractors, subcontractors, and other supply chain members must meet.

What Is CMMC? Cybersecurity Maturity Model Certification

Does My Business Need a CMMC Certification?

If you are a defense contractor or subcontractor of the U.S. Government, you will need a CMMC certificate to continue working on DoD contracts. Even contractors further down the supply chain, such as fourth-party vendors, can be subject to CMMC requirements if their work involves handling FCI or CUI for a DoD project. A defense supplier is any company or organization providing goods or services to the DoD. You can determine what type of compliance is required by referencing the contracts themselves.

How Long Do I Have to Become Compliant with CMMC?

You should assume CMMC compliance is required now for any new contracts you intend to pursue, as the deadline for compliance on new DoD contracts is November 10, 2025. After this date, compliance will be a contractual requirement for bidding on DoD contracts. If your business is not in compliance by this date, you will be ineligible to be awarded government contracts.

CMMC Timeline

The CMMC is being rolled out in phases by the DoD:

  • Phase 1: Begins November 10, 2025, and is required for any new DoD contracts. This phase requires Level 1 (Foundational) and Level 2 (Advanced) self-assessments.
  • Phase 2: Begins November 10, 2026, and requires Level 2 (Advanced) third-party assessments via a C3PAO (Certified Third-Party Assessor Organization) for certain contracts. By November 2026, more DoD contracts will require this higher level of cybersecurity compliance.
  • Phase 3: Begins November 10, 2027, and introduces Level 3 (Expert) assessments while continuing to increase CMMC requirements across contracts.
  • Phase 4: Begins November 10, 2028, and requires full implementation at all levels of the Cybersecurity Maturity Model Certification (CMMC) for all DoD contracts.

How Do I Become CMMC Certified?

To become CMMC certified, you will need to go through a verification process to certify you are in compliance with DoD requirements. In other words, your IT infrastructure and internal processes will be required to meet specific cybersecurity standards to continue doing business with the DoD.

There are several steps involved in becoming CMMC certified:

  1. Determine Level of Compliance Needed: You must first determine which level of security the DoD requires from your organization. Your contracts will contain specific requirements and will state the required level. Essentially, if your business or organization handles ONLY FCI, you need Level 1 compliance. If handling CUI, you need Level 2 compliance.
  2. Conduct a Gap Analysis: Perform a thorough readiness assessment against CMMC requirements to identify where your organization's IT infrastructure falls short in policies, procedures, and technology.
  3. Correct Any Gaps in Security: Once a thorough network assessment is performed, you should address any issues found that might result in you failing a self-assessment. This is where a trusted and knowledgeable Washington, D.C. Managed IT Service Provider comes in. We know EXACTLY what the DoD is looking for and can quickly address any gaps in security and bring you into compliance.
  4. Establish a Self-Certification: NIST SP 800-171 sets security standards for protecting Controlled Unclassified Information (CUI) when it is processed, stored, or transmitted by non-federal systems. This includes the information systems and networks of government contractors and their subcontractors. The DoD provides official guides to help you perform the self-assessment. You can access them here:
    CMMC Level 1 Self-Assessment Guide
    CMMC Level 2 Assessment Guide
  5. Successfully Complete a Third-Party Assessment: Contact a CMMC Certified Third-Party Assessor Organization (C3PAO) for an official assessment of your network systems to ensure compliance with CMMC for DoD contractors and subcontractors. Address any issues or gaps found by the C3PAO.
  6. Obtain a Certificate of Compliance: Once you pass the assessment, you will be issued a certificate from a CMMC Accreditation Body (Cyber AB). This certificate must be regularly maintained and updated as compliance requirements evolve.

    What Are the Compliance Levels of CMMC?

    The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines, specifically NIST SP 800-171 and NIST SP 800-172 guidelines and controls. Your contracts will specify the required level.

CMMC Level 1 (Foundational)

The Foundational Level of CMMC is for companies and organizations that handle Federal Contract Information (FCI) ONLY. This compliance level requires an annual self-assessment that needs to be submitted to the DoD's Supplier Performance Risk System (SPRS). No third-party assessment is required at Level 1.

CMMC Level 2 (Advanced)

The Advanced Level of CMMC compliance is for companies and organizations who handle Controlled Unclassified Information (CUI). Some DoD contracts allow for self-assessment at this level, with the exception being those contracts involving critical national security information. If your contract deals with sensitive information relating to national security, you are required to complete and submit a third-party assessment every three years. Check your contracts to determine which level you are required to comply with.

CMMC Level 3 (Expert)

The Expert Level of CMMC compliance is for companies and organizations who handle highly sensitive Controlled Unclassified Information (CUI). CMMC Level 3 compliance involves meeting all the requirements from Levels 1 and 2, plus an additional 24 specific controls focused on protecting sensitive data. Getting CMMC Level 3 certified involves a few key steps:

  • Step One: Achieve CMMC Level 1 & Level 2 Status
    • Obtaining Level 1 & Level 2 CMMC compliance involves meeting all the requirements of each of these levels as outlined in NIST SP 800-171.
    • Complete your self-assessment and submit your score to the DoD's Supplier Performance Risk System (SPRS).
    • Some Level 2 contracts may require the successful completion of an assessment from a C3PAO (Certified Third-Party Assessment Organization).
  • Step Two: Prepare for Level 3 Assessment

If you have any questions about CMMC compliance or need assistance with your computer systems self-assessment, Critical IT Solutions is here to assist. With over 15 years of serving DMV area businesses, we are highly knowledgeable about government contracts and how to keep your small business in compliance. Contact an experienced provider of IT support for DoD contracted businesses like yours today!