The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework that the Department of Defense (DoD) has instituted for prime and subcontractors wanting to provide products or services to the DoD. Keiter is a Registered Provider Organization (RPO) in the CMMC Marketplace.

Helping your business adopt the CMMC

Upcoming CMMC Webinar: Oct 26, 2021

HistoryKey Facts
In 2016, Defense contracting regulations mandated compliance with NIST SP 800-171. DoD contractors will need to retain a CMMC Third Party Assessor Organization (C3PAO) to perform the assessment.
Compliance was achieved via self-certification. CMMC Accreditation Board is in the process of vetting C3PAOs.
Self-certification was determined to be insufficient. CMMC requirements in contracts will not likely start to appear in contracts until there are enough C3PAOs to perform the assessments (likely mid-2021).
CMMC builds on this by providing a tiered, maturity-focused, compliance framework with a requirement for external certifications. CMMC Accreditation Body recommends at least six months to prepare.
In December 2020, the DoD published the first set of CMMC testing requirements (applicable for Level 1 and Level 3 contracts).

The DoD is using a phased rollout of the CMMC program through September 30, 2025, at which time all solicitations will require compliance with CMMC. Prior to that time the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of a CMMC requirement in a solicitation.

The CMMC framework has five maturity levels (ML). ML-1 is the least rigorous, ML-5 the most. DoD expects that roughly 80% of DoD contracts will only require ML-1 compliance

ML-1 will be required contractors who only have access to Federal Contract Information (FCI). ML-3 or ML-5 will be required for organizations that generate or receive Controlled Unclassified Information (CUI). ML-2 and ML-4 are transitional stages, and we do not expect those levels to be required.

(Read more about FCI and CUI here)

DoD will specify the certification required by the prime contractor in the government’s request for proposal (RFP) based on the type of information the prime contractor generates or is provided under each contract.  The prime contractor determines the compliance level for the subcontractors.  If a prime contractor does not have the required certification at the time of contract award, the company will simply be ineligible.

Level 1 | Performed
Basic Cyber Hygiene
Safeguarding of Federal Contract Information (FCI)
Level 2 | Documented
Intermediate Cyber Hygiene
Transition Step to Protect Controlled UncIassified Information (CUI)
Level 3 | Managed
Good Cyber Hygiene
Protect Control UncIassified Information
Level 4 | Reviewed
Proactive Cyber Hygiene
Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)
Level 5 | Optimizing
Advanced/Progressive Cyber Hygiene
Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)

DoD contractors need to ensure they are certified at the appropriate level when their current contracts come up for rebid or when they expect to bid on new contracts.

DoD contractors first need to determine the CMMC Maturity Level with which they need to comply. Contractors should review their current contracts and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine what type of information (CUI vs FCI) the government considers the contractor to have.

Once the Maturity Level is determined, contractors should perform an assessment to determine if there are any CMMC requirements that it is not meeting for their specific Maturity Level. If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.

Additionally, if not already performed, DoD contractors will need to perform a self-assessment against NIST SP 800-171 and self-report in the DoD Supplier Performance Risk System (SPRS).

Many DoD contractors will need assistance in performing their assessments, identifying gaps, and developing corrective action plans. Keiter’s Risk Advisory Services team has been providing cybersecurity services and consulting on the major IT frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others for close to 20 years. As CMMC RPO, our team can help DoD prime and subcontractors with the following:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Assistance with Remediating Gaps Identified during Readiness Assessment
  • Assistance with NIST SIP 800-171 Self-Assessment that is recorded in Supplier Performance Risk System


Protect Your Small to Mid-size Business Safe From Cyber Attacks

Goodbye CMMC 1.0, Hello CMMC 2.0

DoD Contractor Considerations for CMMC Practice Guide PE.1.132

Anyone Can Get Scammed

View All CMMC Insights

Your Opportunity Advisors

Scott McAuliffe

Partner, Risk Advisory Services

Chris Moschella

Risk Advisory Services Senior Manager

Contact Us