Quick Summary to Better Understand CMMC

What is CMMC?

In a nutshell, it is a way to understand how mature a company is with their security practices and to set standards for companies who work with the Department of Defense (DoD) to protect controlled unclassified information (CUI) and ultimately reduce the likelihood of a breach caused by those businesses. CMMC is currently in a draft version.

The U.S. DoD is working with the Defense Industrial Base (DIB) sector to enhance the protection of sensitive data – particularly Federal Contract Information (FCI) and CUI within the supply chain.  The theft of hundreds of billions of dollars of intellectual property (IP) by malicious cyber activity threatens the U.S. economy and national security.  These threats are estimated to cost the U.S. between $57 B and $109 Billion in 2016, and threats are only rising.   The theft of IP is attributed to poor cybersecurity maturity and ineffective implementation of controls.

These guidelines combine various cybersecurity control standards (NIST, ISO, AIA and others) into one unified standard, but unlike NIST SP 800-171, the CMMC will implement five (5) levels and take into consideration to what extent your company practices the standards.

How will CMMC impact your business?

Starting June 2020, whether you are the contracting business or a subcontractor, you MUST obtain your Certification if you want to do business with the DoD.  There are 5 levels of maturity, but not every type of contract requires the highest level.  The level required will depend on the amount of CUI your company handles, even if you think it none.  The required CMMC level will be contained in the L&M section of the Request for Proposals (RFP) making cybersecurity an “allowable” cost in the DoD contacts.

This will be implemented initially with only DoD contracts, but don’t be surprised to see it applied to other government entities.


Request a Security Compliance Consult


  • This field is for validation purposes and should be left unchanged.

How will your business become certified?

You will determine what level of certification you need to fulfill the requirement and work directly with an accredited and independent third party to schedule your assessment.  There is no option for self-assessment. Most organizations will need to work with a company like The AME Group, who is familiar with data security and compliance to prepare for the certification assessment.  Your level of certification is made public, but details of findings are not.  The duration of the certification and the cost has yet to be determined.  The cost will most likely scale with the level requested and is considered an allowable, reimbursable cost and will not be prohibitive.

How should you prepare?

Start with a Security Risk Assessment by a company who knows compliance and security standards. This will give you the knowledge to make the best decisions, prioritize needs, and create your Security Plan.

Mitigate security risks found in the SRA based on priority.

Train your staff.


CMMC Levels


Best Practice at the Highest Level. There are 17 Domains, which originate from the Federal Information Processing Standards (FIPS) areas and the NIST SP 800-171 control families.


Each DOMAIN is further segmented by a set of capabilities, which are achievements to ensure cybersecurity objectives are met within each domain.

Practices and Processes

Practices measure the technical activities required to achieve compliance and Processes will measure the maturity of a company’s processes. These are mapped to the 5 maturity levels.


To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.

CMMC Levels

CMMC Capabilities

View Full Document Here – https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf