What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is the DoD’s newest verification system, and it ensures all defense industrial base (DIB) contractors have adequate cybersecurity measures in place. According to the NQA,

“In 2016, the U.S. economy lost between $57 billion and $109 billion due to malicious cyber activity. The loss of Controlled Unclassified Information (CUI) from the defense industrial base poses a risk to national security. So, as cybercrimes continue to evolve, the U.S. Department of Defense has developed new measures to increase security across the defense supply chain — CMMC standards.”

In the DoD’s official press release, a representative explains,

“…cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year.”

Before CMMC was introduced to the DIB sector, contractors were solely responsible for the overall security of their information technology systems and any CUI being transmitted on those systems. While contractors are still responsible for meeting cybersecurity requirements, CMMC is now shifting the paradigm with a third-party assessment of their system to validate compliance with certain mandatory practices, procedures, and capabilities.

Cybersecurity Maturity Model Certification

Who Needs CMMC Compliance?

Anyone who wants to work on a DoD contract needs to have the appropriate Cybersecurity Maturity Model Certification (CMMC) required for the project. According to CSO, this includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers.

Why is CMMC significant?

Well, according to the Congressional Research Service, the DoD spent 63% of the $507 billion federal government’s contractual obligations in the 2017 fiscal year. The DoD brings in a lot of contract work, so defense contracting can be lucrative for organizations to tap into.

The Office of the Under Secretary of Defense for Acquisition & Sustainment outlines some factors to consider that would require a certification:

  1. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
  2. If you are a subcontractor and your company does not solely produce COTS products, it will still need to obtain a CMMC certificate.
  3. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do NOT require a CMMC certification.

To stay current with CMMC compliance information, The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can keep up to date on the certification process.

Why CMMC Compliance?

Cyber threats are still real and only getting more sophisticated as technology advances. To mitigate risks as they relate to both the DoD and contractors, the NIST 800-171 was developed in 2003 to provide guidelines on cybersecurity standards. But, even with these standards in place, there was no vehicle to enforce them and ensure contractors were mature enough to protect the DoD’s CUI.

According to the DoD representative, Ellen Lord,

“The CMMC is the DoD’s metric to measure a company’s ability to secure its supply chain from cyber threats, protecting both the company and the department.”

CMMC is that vehicle for the DoD to ensure that NIST 800-171 standards are met. While Level 1 does not require any compliance with NIST 800-171, Levels 2-5 incorporate either some or all practices from NIST 800-171.

Related Article: How CMMC Can Give You A Competitive Edge

Get the CMMC & DFARS Compliance Guide for Defense Contractors

Learn how Conquest Cyber's proprietary risk management software and managed security services help defense contractors achieve over 80% CMMC compliance in as little as 90 days.

Download the CMMC & DFARS Compliance Guide
Cybersecurity Maturity Model Certification

The Interim Rule Requirements

In late September 2020, the DoD published the interim rule requiring DoD government contractors to possess at least a basic NIST SP-800-171 DoD Assessment. The assessment can be no more than three years old at the time of the award and is required by November 30th, which means companies need to:

  • Complete the DoD assessment through the DCMA.
  • Post their summary scores to the DoD.
  • Achieve and maintain CMMC compliance at the level specified in a solicitation at the time of award.

Related Article: What Defense Contractors Should Know About CMMC

How To Prepare For CMMC Audits

Starting in Q3 of 2020, third-party auditors began applying for authorization to assess compliance with this new requirement. In Q4 of 2020, bidders will go through audits and by 2021 the DoD will be enforcing the CMMC requirement for all its contractors.

With the deadline quickly approaching, organizations are scrambling to get their CMMC certification, so they can continue bidding on DoD contracts. One of the best ways to prepare for CMMC audits is to partner with a managed security service provider (MSSP).

MSSPs are staffed with experienced cybersecurity professionals who keep up with the threat landscape and are uniquely equipped to help organizations navigate new regulations.

New call-to-action

The Five Levels of CMMC

Unlike the more familiar NIST 800-171 requirements, CMMC is broken down into five levels of certification that define an organization’s cyber hygiene (defined by Cambridge as ”the practice of protecting online computer information by using special software, choosing strong passwords, etc.”)

Level 1: Basic Cyber Hygiene

Consists of 17 practices and is equivalent to all practices in the Federal Acquisition Regulation (FAR) Clause 52.204-21.

The DoD’s chief information security officer for acquisition, Katie Arrington, explains,

“Something… simple in Level 1 would be, ‘Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords? CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information.”

Level 2: Intermediate Cyber Hygiene

Consists of 72 practices. Level 2 complies with the FAR Clause 52.204-21, includes a select subset of 48 practices from NIST SP 800-171, and 7 additional practices to support intermediate cyber hygiene

Level 3: Good Cyber Hygiene

Consists of 130 practices. Level 3 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171, and 20 additional practices to support good cyber hygiene.

Level 4: Proactive

Consists of 156 total practices. Level 4 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 11 practices from Draft NIST SP 800-171B, and 15 additional practices to demonstrate proactive cybersecurity practices.

Level 5: Advanced/Progressive

Consists of 171 total practices. Level 5 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 4 practices from Draft NIST SP 800-171B, and 11 additional practices to demonstrate advanced cybersecurity practices.

Related Article: Achieving Level 4 CMMC with ARMED™ and Microsoft GCC High

Cybersecurity Maturity Model Certification

Achieve Over 80% CMMC Compliance with ARMED™

The nature of defense and government-related industries create prime targets for cyber-attacks, breaches, and information and identity theft. That’s why defense contractors trust Conquest Cyber as their MSSP, leveraging our distinctly qualified cybersecurity specialists to meet strict regulations and requirements for CUI, ITAR, CMMC, and DFARS Compliance.

ARMED™ Software to help organizations achieve CMMC compliance

Get Started with CMMC Compliance

  1. Request a demo of Conquest Cyber’s proprietary cyber risk management software, ARMED™, to explore the software’s full capabilities. Conquest’s cybersecurity professionals will personalize the demo with your organization’s unique pain points.
  2. Implement ARMED™ in tandem with Conquest’s Managed Security Services support. ARMED™ can detect CMMC levels and combined with Conquest Cyber experts can evaluate your cybersecurity maturity level and identify gaps to meet industry requirements.
  3. Strategize with Conquest’s team of experts on closing gaps in your cyber risk management, allowing your organization to gain a competitive advantage and win high-revenue contracts.
  4. Complete a majority of requirements for industry-specific compliance and leverage real-time data to manage and monitor security controls, events, and service levels.

See for yourself how Conquest Cyber helps defense contractors quickly achieve CMMC compliance so teams can focus on high-value government contracts.

New call-to-action

Cyber Risk Management Software Designed with Defense in Mind

Learn how ARMED™ helps the defense industrial base achieve and maintain CMMC compliance, so defense contractors can focus on winning government contracts. 🏆

Download the ARMED™ Infosheet


  1. CSO Online, The Cybersecurity Maturity Model Certification explained: What defense contractors need to know
  2. Congressional Research Service, Defense Acquisitions: How and Where DOD Spends Its Contracting Dollars
  3. Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification, CMMC FAQ’s
  4. Federal Register, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
  5. NQA, Guide to the CMMC Standard and Certification
  6. U.S Department of Defense, DOD to Require Cybersecurity Certification in Some Contract Bids
  7. U.S Department of Defense, DOD Focuses on Minimizing Cyber Threats to Department, Contractors