Topics in This Guide

The US Department of Defense is rolling out the compliance requirement Cybersecurity Maturity Model Certification (CMMC). This requirement impacts DoD contractors and subcontractors (who may be working for prime contractors or other subcontractors).

The CMMC requirement will take effect for all federal contracts starting in 2026. Prior to that, CMMC will be included in some contracts.

What is CMMC compliance?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). Defense contractors and subcontractors can meet CMMC compliance requirements through a CMMC assessment performed by a CMMC Third Party Assessment Organization (C3PAO). DoD contracts specify to which CMMC level (Level 1–5) a company must comply.

How to Become CMMC Compliant

The only way for companies working in the federal supply chain to achieve CMMC compliance is by successfully passing a CMMC assessment.

CMMC assessments can only be performed by Certified 3rd Party Assessor Organizations (C3PAO). C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB) to perform assessments.

Get a Quote for CMMC Consulting

Submit this form to prepare for a CMMC assessment.

How to Pass a CMMC Assessment

The process for how you can achieve CMMC compliance is as follows:

  1. Prepare for your CMMC audit.
  2. Visit the CMMC-AB Marketplace to research potential C3PAOs. Only authorized C3PAOs listed on the CMMC-AB Marketplace are authorized by the CMMC-AB to perform assessments.
  3. Hire a C3PAO to perform a CMMC assessment for you.
  4. The C3PAO will create an assessment report and if there are no deficiencies, issue a CMMC certificate.
  5. The C3PAO will submit a copy of the assessment report and CMMC certificate to the DoD, valid for 3 years. This final step completes the requirement for CMMC compliance.

Note that the CMMC-AB does not perform the assessments (excluding the pilot programs). Instead, third parties are certified by the CMMC-AB to perform assessments.


Who needs to comply with CMMC?

Contractors working in the federal supply chain under a contract that includes the CMMC requirement need to be CMMC compliant. In Requests for Information (RFI) and Requests for Proposals (RFP), the DoD will specify the required CMMC level to which you need to meet. The requirement for CMMC compliance flows down from prime contractors to subcontractors.

Roles Introduced by the CMMC-AB

The CMMC-AB has introduced several roles in support of the CMMC framework.

  • Certified 3rd Party Assessor Organization (C3PAO) – Companies that are certified by the CMMC-AB to perform CMMC assessments. These are the only companies authorized to perform assessments.
  • Certified Assessor (CA) – People working for a C3PAO performing CMMC assessments.
  • Certified Professional (CP) – People working for a C3PAO who can participate in a CMMC assessment led by a CA.
  • Licensed Training Provider (LTP) – Companies that train assessors to perform CMMC assessments. Certified assessors can only be trained by LTPs.
  • Licensed Partner Publisher (LPP) – Companies that create the training materials for LTPs.
  • Registered Provider Organization (RPO) – Companies that have registered with the CMMC-AB to provide consulting advice and CMMC readiness services to Organizations Seeking Compliance (OSC).
  • Registered Practitioner (RP) – People working for an RPO who have registered with the CMMC-AB.

C3PAOs, LTPs, and LPPs are licensed by the CMMC-AB.

CAs and CPs are certified by the CMMC-AB and must pass exams given by LTPs.

RPOs and RPs are registered with the CMMC-AB.

Companies and people with each of these roles are listed in the CMMC-AB Marketplace. If they are not listed there, they are not certified by or registered with the CMMC-AB.

Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO, but has not yet completed the process. 

Pilot Programs

The CMMC-AB is implementing the CMMC accreditation ecosystem in stages. Provisional instructors have been trained to perform CMMC assessments as part of pilot programs.

Once the pilot programs are complete, the CMMC-AB will be able to finalize training programs and certification exams. From that point on, training will be done by LTPs only and not the CMMC-AB.

The CMMC-AB expects the CMMC training and certification framework to be fully implemented near the end of 2021.

5 Levels of CMMC

The CMMC framework contains 5 certification levels ranging from basic cyber hygiene to reducing the risk from Advanced Persistent Threats (APT). Across the 5 maturity levels are 5 maturity processes and a total of 171 cybersecurity best practices.


5 levels of CMMC


Most OSCs will only need to be certified to Level 1, 2, or 3. Very few companies will need to meet the compliance requirements for Levels 4 or 5. The CMMC-AB expects that 60% of the assessments performed will be for Level 1.

Prior to a CMMC assessment, you will first want to determine the level to which your company should be certified.

If there are future contracts for which you plan to bid, you will want to be certified to the level required by the contract, RFI, or RFP.

Otherwise, you should base your decision on internal business goals.

CMMC Requirements

The CMMC requirements for each of the five levels of CMMC are as follows.

LEVEL 1 — Safeguard Federal Contract Information (FCI)

Level 1 Practices

  • Firewall with monitoring
  • Segment and control public facing connections
  • Anti-virus
  • Device inventory
  • Software inventory
  • User and access management
  • Log and escort visitors
  • Badges and keys
  • Data disposal
  • Update systems

Level 1 Supporting Documentation

  • Acceptable Use Policy
  • Access Control Policy
  • Physical Security Policy
  • Asset Management Policy

Level 2 – Serve as transition step in cybersecurity maturity progression to protect CUI

Level 2 Practices

  • CMMC Level 1 completion
  • System event logging/retention
  • Awareness and role training
  • Hardware/software inventory
  • Secure baselines
  • Multi-factor authentication (MFA) for remote access
  • Conduct, test, and encrypt backups
  • Vulnerability scanning and remediation
  • Identify unauthorized use
  • Incident response procedures
  • more...

Level 2 Supporting Documentation

  • Vulnerability Management Policy
  • Data Transfer Policy
  • Incident Response Policy
  • Password Policy
  • Secure Baseline Procedures
  • Change Management Procedure
  • Teleworker Policy
  • Data Classification Policy
  • Information Security Policy

Level 3 – Protect CUI

Level 3 Practices

  • CMMC Level 2 completion
  • 800-171 controls
  • No POA&M items
  • Offsite backups
  • Centralized logging
  • Risk assessments
  • Continuous monitoring
  • DNS filtering
  • more...

Level 3 Supporting Documentation

  • Social Media Policy
  • CUI Handling Procedure
  • Information Security Plan

Level 4 – Protect CUI and reduce risk of Advanced Persistent Threats (APT)

Level 4 Processes: Reviewed

Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.

Level 4 Practices: Proactive

Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.

Level 5 – Protect CUI and reduce risk of APTs

Level 5 Processes: Optimizing

Requires an organization to take corrective action towards improving process implementation across the organization.

Level 5 Practices: Advanced/Proactive

Increases the depth and sophistication of cybersecurity capabilities.

CMMC Capability Domains

Each of the 17 domains across CMMC consists of a set of processes and capabilities across the 5 levels.

1. Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

2. Asset Management (AM)

  • Identify and document assets
  • Manage asset inventory

3. Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

4. Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

5. Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

6. Identification and Authentication (IA)

  • Grant access to authenticated entities

7. Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response

8. Maintenance (MA)

  • Manage maintenance

9. Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

10. Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

11. Physical Protection (PE)

  • Limit physical access

12. Recovery (RE)

  • Manage backups
  • Manage information security continuity

13. Risk Management (RM)

  • Identify and evaluate risk
  • Manage risk
  • Manage supply chain risk

14. Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

15. Situational Awareness (SA)

  • Implement threat monitoring

16. Systems and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

17. System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections


Assessments for the Different Levels of CMMC

On the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment, OUSD(A&S), you can find the following helpful materials, which will guide you in developing good cyber hygiene.

C3PAOs must be certified at Level 3 at a minimum before they can conduct any assessments themselves.

CAs and CPs will be authorized to perform assessments up to a certain maturity level (ML).

  • ML1 can only perform Level 1 assessments
  • ML3 can only perform Level 1, Level 2, or Level 3 assessments
  • ML5 can perform assessments for any level of CMMC

Overlap of CMMC and NIST 800-171

Prior to 2026 (at which time the CMMC requirement will be in place for all federal contracts), it is possible that you could be working under the CMMC requirement for some contracts and the NIST 800-171 mandate for others. That is, there may be a period where you need to meet both cybersecurity standards.

The good news is that there are similarities between the NIST compliance requirements and CMMC cybersecurity requirements, especially at the first three levels of CMMC.

NIST 800-171 is the foundation for CMMC. CMMC Levels 1–3 encompass the 110 security requirements specified in NIST 800-171.


With CMMC, there is no option for self-attestation. You must hire a C3PAO to perform a CMMC assessment of your company.

CMMC Compliance Costs

The cost for a CMMC assessment will depend upon several factors including to which level the certification is needed and complexity of your IT infrastructure.

The DoD has provided estimated assessment costs, as part of the Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.

CMMC Compliance Deadlines

Unlike NIST 800-171, there is no deadline for when you need to be CMMC compliant. Instead, you will need to meet CMMC compliance when you want to work under a federal contract that requires it.

For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the appropriate CMMC level at the time of contract award.

What to Do Before a CMMC Assessment

There are several things you can do to prepare for a CMMC assessment.

Isolate CUI

CMMC is all about the protection of Controlled Unclassified Information (CUI).

The first step you should take on the path to CMMC compliance is to determine where you have CUI. If a prime contractor or other subcontractor is sending you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.

The less CUI you have, the easier it will be to protect it.

Use Proper Encryption

For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit. A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms.

Manage CUI with Defined Policies and Procedures

When protecting CUI, using the correct processes is as important as the correct technology. You should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within a platform. Moving forward, you need to make sure you are monitoring and validating the systems, then periodically perform a management review.

Avoid the Shopping Cart Approach

Don't rush to purchase a compliance tool that purports to make it easy to achieve CMMC compliance. The best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.

Just like buying a vacuum cleaner doesn't guarantee you will have a clean floor, buying a compliance tool doesn't guarantee you will pass a future audit.

Before purchasing any type of self-analysis tool intended to identify gaps where it is expected you will fall short during a future CMMC assessment, make sure you have the correct expertise in-house to use the tool. We frequently hear feedback from companies that were unable to make use of tools they purchased. Avoid wasting time and money on tools that don't get you much closer to passing a CMMC audit.

Identify Gaps

Once you have determined the CMMC level to which you need to certify, you can meet internally to identify gaps in your processes and systems that you know need to be corrected. Corserva can help you identify these gaps.

Helpful CMMC Compliance Resources

Corserva CMMC Consulting Services

RPOCorserva offers:

  • Pre-assessment readiness services
  • Technical remediation to correct gaps in compliance
  • Customized cybersecurity programs

Corserva can prepare you for a CMMC assessment by a C3PAO.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other OSCs.

Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts.

To prepare you for your CMMC audit, these are the steps we follow:

  1. Identify the relevant requirements of CMMC you will need to meet.
  2. Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
  3. Create a list of remediation steps to be taken prior to your certification assessment being performed by a C3PAO.

The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote for CMMC consulting services.


Ready to get started?

Submit this form to get a quote for a NIST assessment or CMMC consulting services.