How Department of Defense Contractors Can Prepare for the CyberSecurity Maturity Model Certification (CMMC)

As part of all DoD contracts, all Primes and Subcontractors are subject to the flowdown rules contained in the Federal Acquisition Regulation (FAR) as well as the Defense Federal Acquisition Regulation Supplement (DFARS).  In an effort to continue to improve cybersecurity and prevent the loss of intellectual property and other sensitive information, this government-led effort is being implemented to protect the U.S. Defense Supply Chain (DSC) from foreign and domestic cybersecurity threats, and reduce the overall security risk of the sector.

Since the adoption of DFARS 252.204-7012 in 2016, over 300,000 US DoD Contractors have been scrambling to understand and implement NIST SP 800-171 standards within their companies in order to be compliant with the regulation.  Some have had the internal resources to become compliant themselves, while others have outsourced the task to vendors, such as Vestige, who help DoD suppliers comply with their cybersecurity mandates – and yet, others have ignored or failed to implement such requirements.

Due to this slow adoption rate of the DRARS 252.204-7012 regulation, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC).

CMMC is designed to ensure appropriate levels of cybersecurity controls and the processes are adequate and in-place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  CMMC outlines five compliance maturity levels that range from Basic Cybersecurity Hygiene (Maturity Level 1) to Advanced Cybersecurity Practices (Maturity Level 5).  When implemented, adherence to the CMMC will reduce the risk of hostile agents breaching a supplier’s cybersecurity defenses.

Unlike in the past (NIST 800-171) where a supplier was able to “self-assess” conformance with the standard, CMMC now requires that each supplier undergoes a thorough, evidence-based, external audit performed by a Certified Third Party Assessor Organization (C3PAO).

Compliance is required in order to be awarded a DoD contract.  Depending on a supplier’s requirements and current state, the CMMC Accreditation Body (CMMC-AB) has advised that obtaining certification to the CMMC program will likely take a minimum of 6 months.  Vestige’s experience with similar frameworks (and our deep knowledge on both NIST 800-171 and CMMC) would indicate that organizations may need a minimum of 12 months.



If you currently have a lucrative DoD Contract that you want to maintain, passing the new CMMC is crucial. If you aren’t 100% certain you’ll pass — Vestige has a CMMC assessment preparation plan that is a perfect fit for you!


1. Pre-CMMC Cybersecurity Assessment

  • We assess your network to see if it matches up with the upcoming guidelines. We’ll come in, just as if we were running the audit, and look at Design, Execution, and Ability for the organization to collect and share the requisite evidence.
  • With the results from this, we’ll provide a complete Gap Analysis Roadmap showing where your organization currently stands in regard to passing the CMMC certification, current maturity level, and the path forward to obtaining the desired/required maturity level.

2. Remediation

  • In Phase 2, we take the roadmap from Phase 1 and help you implement those controls.  We can be as involved or not as involved during this phase, based on your preference for assistance for remediating the gaps. With our expert advice, we help your IT put the controls in place with all the supporting requirements for turnkey execution, so there will be no issues when a third party assessor is certifying you.

3. Coordination, Guidance & Advocacy during the formal CMMC Assessment

  • Vestige will work with you during the actual CMMC Assessment itself to make the process as smooth as possible. We act as an advocate, negotiator and liaison between your organization and your Certified 3rd Party Assesor Organization (C3PAO) – helping deliver success for your CMMC.

Webinar Presentation: CMMC – A Primer

Damon Hacker, Vestige President & CEO, provides this 2-hour PowerPoint Audio Webinar through PTAC that offers DoD Contractors a great overview of the new CMMC requirement – deep dive:



Damon Hacker, Vestige President & CEO, presented this 1-hour PowerPoint Audio Webinar to the SAME – Society of American Military Engineers:


Why Vestige?



In review, our services include:

  • Pre-CMMC Cybersecurity Assessment – Vestige will critically assess your environment as if we are the C3PAO assessing your environment for certification.  In this manner you obtain a realistic understanding of your ability to pass the certification assessment and obtain a roadmap of changes that need to be implemented to pass.
  • Remediation – We provide a roadmap, policies and turnkey implementation for you and your IT to ensure there will be no issues when it’s time for the third party assessor certifying you.
  • Expert Guidance – Our RPs offer expert guidance throughout the actual 3rd party CMMC Assessment to assure the process is smooth and pain-free for you.

Take Proactive Steps Today

CONTACT VESTIGE today so that you are prepared for this update and can smoothly transition to this latest effort by the DoD to enhance the protection of Controlled Unclassified Information (CUI).  You can reach Vestige at 800-314-4357 or