OCTOBER IS CYBERSECURITY AWARENESS MONTH!  A month dedicated to working together to raise the importance of cybersecurity. 

Mandatory CMMC Certification For Defense Contractors – Part 2 of 2


Mandatory CMMC Certification For Defense Contractors – Part 2 of 2

Author photo
by Mary Brewer

What Does My Company Need to Do for CMMC and How Do We Achieve Compliance?  

Due to the serious nature of cybersecurity threats, the DoD is requiring mandatory certification for contractors in order to secure DoD contracts.

The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.  This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.  The CMMC requirements now require DoD Contractors to be certified through an approved Third Party Assessor.

CMMC Certification Requirements

 Minimum certification requirements are now included in select Requests for Proposals (RFP’s) and Requests for Information (RFI’s).

The DoD has indicated that a prime-level certification requirement may involve different certification levels across the supply chain, resulting in challenges for both prime contractors and subcontractors.

Elements of the CMMC Framework

The CMMC Framework builds on previously established standards, practices and frameworks. The content is organized into a set of domains and divided across five CMMC levels. Level 1 incorporates 17 practices, and each subsequent level requires additional practices. Achieving compliance with Level 5 involves the completion of 171 practices.

CMMC Framework Certification Levels:

CMMC Level           No. of Practices        Achievement          Maturity Level
at CMMC Level                                          Description

1 17 Basic safeguarding of FCI


2 55 Transition Step to Protect CUI


3 58 Protect CUI Managed
4 26 Increased Protection of CUI Reviewed
5 15 Reducing Risk of Advanced Persistent Threats (APT’s) Optimized
Total 171    


Each domain incorporates various capabilities examined in the certification process. The 171 practices are distributed within each of the 17 domains across the five CMMC levels, depending on the complexity of the domain and the number of practices assigned.

The 17 domains are listed below:

  1.  Access Control (AC)
  2. Asset Management (AM)
  3. Audit and Accountability (AA)
  4. Awareness and Training (AT)
  5. Configuration Management (CM)
  6. Identification and Authentication (IDA)
  7. Incident Response (IR)
  8. Maintenance (MA)
  9. Media Protection (MP)
  10. Personnel Security (PS)
  11. Physical Protection (PP)
  12. Recovery (RE)
  13. Risk Management (RM)
  14. Security Assessment (SAS)
  15. Situational Awareness (SA)
  16. System and Communications Protections (SCP)
  17. System and Information Integrity (SII)

Achieving CMMC Compliance

The CMMC assessments could have a significant impact on Contractors’ ability to meet minimum requirements.  A low rating could limit a Contractor’s ability to successfully compete for work.

CMMC level understanding is valuable to nongovernmental organizations.  The CMMC Framework consolidates best practices and guidance from several existing federal government cybersecurity standards.  IT leaders can assess the current maturity level of their cybersecurity activities through comparison with CMMC requirements.

Is My Company Required to Be CMMC Compliant?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), the company is required to be certified at CMMC Level 1.  Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

Who Can Access CMMC Certification Results?

CMMC Certification Results are not made public; the only information made available is the fact that the company has obtained a CMMC Certification.  The DoD will have access to all DIB Companies’ certification results.

CMMC Certification is Mandatory for DOD Contractors and Subcontractors

Companies should locate a Third-Party Contract Assessor, certified by the DoD, to audit CMMC Compliance. Vestige Digital Investigations is currently working with companies, helping them obtain CMMC Certification with a Pre-Certification Assessment.  Begin our THREE-PHASE CMMC PREPARATION PROCESS … and CONTACT US today.


Vestige Views Blog – Part 1 of 2


By Mary Brewer, MBA, BS, AAS