Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
The Cybersecurity Maturity Model Certification is now mandatory for defense contractors. Understanding CMMC requirements ensures you can bid on and maintain DoD contracts.
Understanding CMMC Levels
CMMC has three assessment levels addressing different security requirements. Level 1 covers basic cyber hygiene for Federal Contract Information. Level 2 addresses Controlled Unclassified Information protection. Level 3 provides enhanced security for critical programs against Advanced Persistent Threats.
Level 1 Requirements
Basic cybersecurity practices protect Federal Contract Information. Self-assessment is permitted at this level. Implementation focuses on fundamental security controls and access management. This level serves as the foundation for higher certifications.
Level 2 Certification Process
Third-party assessment organizations conduct Level 2 certifications. NIST SP 800-171 compliance is mandatory. Organizations must demonstrate systematic implementation of 110 security controls. Plans of Action and Milestones are allowed but must be remediated within 180 days.
Level 3 Government Assessment
DoD officials conduct Level 3 assessments for highest priority programs. NIST SP 800-172 controls must be implemented. This level protects breakthrough technology and significant CUI aggregations. Level 2 certification is prerequisite for Level 3 assessment.
Implementation Timeline
Phase 1 begins November 2025 with Level 1 requirements. Level 2 certifications start one year after DFARS rule publication. Level 3 requirements follow two years after. Full implementation across all applicable contracts occurs in Phase 4.
Preparing for Certification
Assess current cybersecurity posture against CMMC requirements. Identify gaps and develop comprehensive remediation plans. Engage C3PAO assessors early in preparation. Document all security controls procedures and evidence thoroughly.