What is CMMC?


Cybersecurity Maturity Model Certification (CMMC) is the DoD’s newest verification system, and it ensures all defense industrial base (DIB) contractors have adequate cybersecurity measures in place. According to the NQA,


“In 2016, the U.S. economy lost between $57 billion and $109 billion due to malicious cyber activity. The loss of Controlled Unclassified Information (CUI) from the Defense Industrial Base poses a risk to national security. So, as cyber crimes continue to evolve, the U.S. Department of Defense has developed new measures to increase security across the defense supply chain — CMMC standards.”

In the DoD’s official press release, a representative explains,


“…cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year.”

Before CMMC was introduced to the DIB sector, contractors were solely responsible for the overall security of their information technology systems and any CUI being transmitted on those systems. While contractors are still accountable for meeting cybersecurity requirements, CMMC is now shifting the paradigm with a third-party assessment of their system to validate compliance with certain mandatory practices, procedures, and capabilities.



Cybersecurity Maturity Model Certification

Who Needs CMMC Compliance?

Anyone who wants to work on a DoD contract needs to have the appropriate Cybersecurity Maturity Model Certification (CMMC) required for the project. According to CSO, this includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers.

Why is CMMC significant?

Well, according to the Congressional Research Service, the DoD spent 63% of the $507 billion federal government’s contractual obligations in the 2017 fiscal year. The DoD brings in a lot of contract work, so defense contracting can be lucrative for organizations to tap into.

The Office of the Under Secretary of Defense for Acquisition & Sustainment outlines some factors to consider that would require a certification:

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

If you are a subcontractor and your company does not solely produce COTS products, it will still need to obtain a CMMC certificate.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do NOT require a CMMC certification.

To stay current with CMMC compliance information, The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can keep up to date on the certification process.


Why CMMC Compliance?

Cyber threats are still real and only getting more sophisticated as technology advances. To mitigate risks as they relate to both the DoD and contractors, the NIST 800-171 was developed in 2003 to provide guidelines on cybersecurity standards. But, even with these standards in place, there was no vehicle to enforce them and ensure contractors were mature enough to protect the DoD’s CUI.

According to the DoD representative, Ellen Lord,


“The CMMC is the DoD’s metric to measure a company’s ability to secure its supply chain from cyber threats, protecting both the company and the department.”


CMMC is that vehicle for the DoD to ensure that NIST 800-171 standards are met. While Level 1 does not require any compliance with NIST 800-171, Levels 2-5 incorporate either some or all practices from NIST 800-171.




Cybersecurity Maturity Model Certification

The Interim Rule Requirements

In late September 2020, the DoD published the interim rule requiring DoD government contractors to possess at least a basic NIST SP-800-171 DoD Assessment. The assessment can be no more than three years old at the time of the award and is required by November 30th, which means companies need to:

  • Complete the DoD assessment through the DCMA.
  • Post their summary scores to the DoD.
  • Achieve and maintain CMMC compliance at the level specified in a solicitation at the time of award.


How to Prepare for CMMC Audits

Starting in Q3 of 2020, third-party auditors began applying for authorization to assess compliance with this new requirement. In Q2021 the DoD will be enforcing the CMMC requirement for all its contractors.

With the deadline quickly approaching, organizations are scrambling to get their CMMC certification to continue bidding on DoD contracts. One of the best ways to prepare for CMMC audits is to partner with a managed security service provider (MSSP).

MSSPs have experienced cybersecurity professionals who keep up with the threat landscape and are uniquely equipped to help organizations navigate new regulations.

The Five Levels of CMMC


Unlike the more familiar NIST 800-171 requirements, CMMC is broken down into five levels of certification that define an organization’s cyber hygiene (defined by Cambridge as ”the practice of protecting online computer information by using special software, choosing strong passwords, etc.”) The DoD’s chief information security officer for acquisition, Katie Arrington, explains,

“Something… simple in Level 1 would be, ‘Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords? CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information.”

Meanwhile, Level 5 requires much more stringent security measures found in additional frameworks including, but not limited to, NIST 800-53, CIS CSC 7.1, and NIST 800-171B. In each Request For Information (RFIs) and Request For Proposals (RFPs), the DoD will specify the CMMC level required for the job.



Level 1: Basic Cyber Hygiene

Consists of 17 practices and is equivalent to all practices in the Federal Acquisition Regulation (FAR) Clause 52.204-21.


Level 2: Intermediate Cyber Hygiene

Consists of 72 practices. Level 2 complies with the FAR Clause 52.204-21, includes a select subset of 48 practices from NIST SP 800-171, and 7 additional practices to support intermediate cyber hygiene.


Level 3: Good Cyber Hygiene

Consists of 130 practices. Level 3 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171, and 20 additional practices to support good cyber hygiene.


Level 4: Proactive

Consists of 156 total practices. Level 4 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 11 practices from Draft NIST SP 800-171B, and 15 additional practices to demonstrate proactive cybersecurity practices.


Level 5: Advanced/Progressive

Consists of 171 total practices. Level 5 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 4 practices from Draft NIST SP 800- 171B, and 11 additional practices to demonstrate advanced cybersecurity practices.

How Conquest Helps to Achieve Over 80% CMMC Compliance


REQUEST A DEMO of Conquest’s proprietary cyber risk management software, ARMED™, to explore the software’s full capabilities. Conquest’s cybersecurity professionals will personalize the demo with your organization’s unique pain points.

STRATEGIZE WITH CONQUEST’S TEAM OF EXPERTS on closing gaps in your cyber risk management, allowing your organization to gain a competitive advantage and win high-revenue contracts.

IMPLEMENT ARMED™ in tandem with Conquest’s Managed Security Services support. ARMED™ can detect CMMC levels and combine with Conquest cyber experts to evaluate your cybersecurity maturity level and identify gaps to meet industry requirements.

COMPLETE A MAJORITY OF REQUIREMENTS for industry-specific compliance and leverage real-time data to manage and monitor security controls, events, and service levels.


Conquest’s proprietary cyber risk management software, ARMED ATK, allows organizations in highly regulated industries to effectively manage and monitor cybersecurity efforts in accordance with industry compliance requirements.

This enables security professionals to make data-backed decisions based on real-time visibility of security controls, events, and levels of service.

ARMED ATK enables radical operational transparency, providing mission-critical data that is centrally available and easily consumable for key stakeholders and technical teams alike.

Request an