What is CMMC Compliance?

Corserva blog

The Cybersecurity Maturity Model Certification (CMMC) was created to enhance the cybersecurity posture of companies participating in US government supply chains. As of December 31, 2017, defense and government suppliers had to comply with NIST 800-171. Starting in 2020 with the introduction of CMMC FAR clause, the DoD is gradually transitioning federal contract information to include CMMC instead of NIST 800-171.

There are two significant differences in CMMC:

  • Unlike NIST 800-171, with CMMC there is no longer an option for self-attestation.
  • CMMC includes five different levels of compliance.


CMMC - A New Cybersecurity Standard

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.

The Department of Defense is planning to migrate from NIST 800-171 to the CMMC framework later in 2020.

CMMC is to be rolled out gradually and will eventually replace NIST 800-171 compliance.


Starting in September 2020, CMMC requirements could be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.


Cybersecurity Maturity Model Certification


You can learn more about CMMC at these government sites:

Request a Quote for CMMC Consulting Services


No More Self-Attestation

The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With this framework, there is no longer an option for self-attestation.


"How to Prepare for a CMMC Assessment


CMMC Levels

The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding and basic cybersecurity processes at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.

These levels capture both security control and the processes that enhance a company's cybersecurity. DoD contracts stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. A company will need to meet both the processes and practices to meet a given level.




A subcontractor working for a prime contractor may not necessarily need to meet the same level as the prime. For example, to win a contract, first-tier DoD contractors may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.

Many small businesses seeking basic cybersecurity hygiene will only need to meet Level 1.


LEVEL 1 - Safeguard Federal Contract Information (FCI)

♦ Level 1 Practices

  • Firewall with monitoring
  • Segment and control public facing connections
  • Anti-virus
  • Device inventory
  • Software inventory
  • User and access management
  • Log and escort visitors
  • Badges and keys
  • Data disposal
  • Update systems

♦ Level 1 Supporting Documentation

  • Acceptable Use Policy
  • Access Control Policy
  • Physical Security Policy
  • Asset Management Policy

LEVEL 2 - Serve as transition step in cybersecurity maturity progression to protect CUI

♦ Level 2 Practices

  • CMMC Level 1 completion
  • System event logging/retention
  • Awareness and role training
  • Hardware/software inventory
  • Secure baselines
  • Multi-factor authentication (MFA) for remote access
  • Conduct, test, and encrypt backups
  • Vulnerability scanning and remediation
  • Identify unauthorized use
  • Incident response procedures
  • more...

♦ Level 2 Supporting Documentation

  • Vulnerability Management Policy
  • Data Transfer Policy
  • Incident Response Policy
  • Password Policy
  • Secure Baseline Procedure
  • Change Management Procedure
  • Teleworker Policy
  • Data Classification Policy
  • Information Security Policy

LEVEL 3 - Protect CUI

There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.

♦ Level 3 Practices

  • CMMC Level 2 completion
  • 800-171 controls
  • No POA&M items
  • Offsite backups
  • Centralized logging
  • Risk assessments
  • Continuous monitoring
  • DNS filtering
  • more...

♦ Level 3 Supporting Documentation

  • Social Media Policy
  • CUI Handling Procedure
  • Information Security Plan

LEVEL 4 - Protect CUI and reduce risk of Advanced Persistent Threats (ATP)

♦ Level 4 Processes: Reviewed

Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.

♦ Level 4 Practices: Proactive

Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.

LEVEL 5 - Protect CUI and reduce risk of ATPs

♦ Level 5 Processes: Optimizing

Requires an organization to take corrective action towards improving process implementation across the organization.

♦ Level 5 Practices: Advanced/Proactive

Increases the depth and sophistication of cybersecurity capabilities.


How to Comply with CMMC

The CMMC framework requires all companies seeking compliance to be assessed by an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments. As of May 5, 2021, there are no certified C3PAOs eligible to perform assessments.


Request a Quote for CMMC Consulting Services


CMMC Compliance Process

Companies operating in federal supply chains need to be certified by a third-party organization (C3PAO) who will assess the company's level of compliance with CMMC. DoD contracts specify to which level a company must comply (Levels 1-5). Starting in 2020, CMMC can be introduced in new RFIs and RFPs. By 2026, all DoD contracts will include CMMC instead of NIST 800-171.

With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.

If you have questions about what is CMMC compliance, the process to achieve CMMC compliance is as follows:

  1. Determine the level of CMMC you want to meet (based on future contracts on which you plan to bid or internal business goals).
  2. Prepare internally to meet the selected standard. Identify gaps in your processes and systems. You can leverage the services of a CMMC-AB Registered Provider Organization™ (RPO) listed in the CMMC-AB Marketplace to help you.
  3. Select a C3PAO from the CMMC Accreditation Body Marketplace. As of May 5, 2021, there are no certified C3PAO companies performing assessments yet.
  4. Engage a C3PAO to provide the assessment.
  5. The C3PAO submits the assessment for review by the CMMC-AB.
  6. Certification is issued to the company.

The certification will last for 3 years, at which point companies will be able to renew their certification.


The Overlap of NIST 800-171 and CMMC

CMMCBecause CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By 2026, all new DoD contracts will include CMMC cybersecurity requirements.

Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.


CMMC Impact to Current Contracts

No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.

The certification to win a contract will be needed at the time of the award.


CMMC Requirements

You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements.

CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.


NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal: to protect information.


RPOGet Ready for CMMC Now

As a CMMC-AB Registered Provider Organization™ (RPO) listed in the CMMC-AB Marketplace, Corserva can help prepare companies to get ready for a CMMC assessment. 

Corserva offers an easy process for your organization to prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.

Request a Quote for CMMC Consulting Services


Post Date: May 14, 2020 // 10:43 AM

Topic category:



Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She has written on various technology topics including disaster recovery, IT services, and enterprise software. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.