CMMC

The Cybersecurity Maturity Model Certification (CMMC certification) is designed to simplify compliance for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Department of Defense (DoD) supply chain. For a detailed explanation of what qualifies as CUI, refer to the Organization Index Grouping of Defense.

Currently, Draft v0.7 of the CMMC is available, with the final version (v1.0) expected in January 2020. Companies are encouraged to review v0.7 to begin preparing for the level of DoD CMMC certification required for project bids.

Draft v0.7 is accessible online in its entirety. Below is a concise summary of its contents, along with insights from Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, as presented in her webinar “What Contractors Need to Know About DoD’s CMMC” (July 17, 2019). Note: You must be signed in to view the webinar.

During the webinar with the Professional Services Council, Katie Arrington highlighted that losses from inadequate cybersecurity controls leading to CUI breaches amount to over $600 billion annually. While achieving DoD CMMC certification may incur costs, the long-term savings outweigh these expenses. Additionally, the government considers CMMC certification costs as allowable expenses in its bidding process. The Request For Information (RFI) and Request For Proposal (RFP) Sections L and M outline the required level of CMMC certification, which can determine eligibility for project bids.

If your organization plans to work with the Department of Defense (DoD), understanding CMMC 2.0 requirements is the first step toward achieving compliance. These requirements are designed to protect sensitive federal information and are organized into three maturity levels, each with increasing cybersecurity expectations:

Level 1 – Foundational
Focuses on basic safeguarding practices to protect Federal Contract Information (FCI).

Level 2 – Advanced
Includes more detailed requirements aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

Level 3 – Expert
Represents the highest maturity level, emphasizing advanced cybersecurity practices and alignment with DoD’s most stringent security requirements. This beginner’s guide explains what each CMMC 2.0 level means and outlines how organizations can start preparing for compliance.

Companies seeking lucrative contracts with the US Department of Defense (DoD) need to keep their cyber defenses up to date. That’s why the final two CMMC Level requirements focus mainly on advanced persistent threat solutions, addressing the biggest and most complex threats to the Defense Industrial Base (DIB) sector. 

Most organizations fail CMMC compliance at Level 2 not because their security controls are weak, but because their documentation doesn’t clearly prove the controls exist, function correctly, or are consistently followed.
Many teams underestimate this critical detail.
Documentation isn’t just “paperwork” , for CMMC compliance, it is the audit itself. If you can’t show a repeatable process, policy, or record on demand, assessors will likely mark controls as Not Met.
In this article, we’ll explain why documentation is often the silent deal-breaker for CMMC Level 2 and share practical steps to fix it quickly.

The U.S. military and its extensive network of contractors make up one of the most critical infrastructures in the country. Any threat to Department of Defense (DoD) information, systems, or resources can put national security at risk, both at home and abroad.

To reduce these risks, the DoD requires strict security standards across its workforce and contractor base. DoD information assurance awareness training is a foundational requirement designed to ensure personnel understand how to protect sensitive DoD information from cyber threats, misuse, and human error. This article explains what the training involves, who must complete it, and why it matters.

For Department of Defense (DoD) entities and contractors, annual information awareness training plays a critical role in protecting sensitive data and reducing cybersecurity risks across critical infrastructure. As cyber threats continue to evolve, untrained personnel remain one of the most common causes of security incidents.

Failing to address risks to sensitive information, especially within systems supporting national defense—can lead to data breaches, operational disruptions, and serious national security consequences. Awareness training helps ensure employees understand their security responsibilities, recognize threats, and respond appropriately. Read on to learn why annual training is essential and how it supports DoD compliance requirements.

While tragedies in the aerospace industry are rare, they pose a significant risk to national security. To address these threats, the industry has implemented rigorous cybersecurity standards designed specifically for aerospace systems.
One of the most recognized of these is the Aerospace Cybersecurity Standard, formally known as NAS 9933. Understanding this standard is essential for aerospace organizations, contractors, and suppliers, as it guides how sensitive data and critical systems are protected.

CMMC compliance is becoming a contract requirement for Department of Defense (DoD) contractors—and the timeline is approaching faster than many organizations expect. While most DoD contracts today still require compliance with DFARS 252.204-7012 and NIST SP 800-171, upcoming awards may require formal certification under the Cybersecurity Maturity Model Certification (CMMC) framework.

With the phased CMMC implementation beginning November 10, 2025, certification requirements will be introduced through contract clauses rather than blanket enforcement. As a result, small and mid-sized defense contractors must begin planning for CMMC compliance now to avoid delays, lost opportunities, or disqualification once certification becomes a condition of award.

Sensitive data and information correlated to the U.S. Department of Defense (DoD) actions are hacked and compromised on a continuous basis and it is a problem for every DoD contractor. The U.S.federal government has put in place a severe and critical update to its cybersecurity model. The latest Cybersecurity Maturity Model Certification (CMMC) puts a huge and necessary focus on data within DoD contractors, subcontractors and supply chain organizations’ networks.

New as of January 31st is the Cybersecurity Maturity Model Certification (CMMC), which greatly impacts the Department of Defense (DoD). The CMMC changes how the DoD looks at cybersecurity and its goal is to better the National Institute of Standards and Technology (NIST) and the Defense Federal Acquisition Regulation Supplement (DFARS) by regulating that every contractor (DoD included) must be audited and then certified by a third-party auditor (3PAO).

The CMMC consists of five different levels that will analyze cybersecurity controls and make sure that they are in line with all required policies to obtain each level of CMMC compliance. The CMMC will essentially determine if one can bid on a DoD contract or not. Each government contractor will not be considered eligible unless they meet the applicable cybersecurity level.

Becoming compliant with the CMMC is a stipulation of the DoD contractors and it is paramount to understand the framework behind CMMC and the effects it will have on your company. All companies that do and conduct business with the DoD must be certified. Let’s take a closer look at CMMC to gain a better understanding.

New changes have been introduced to the cybersecurity requirements DoD contractors must meet for compliance. The first version of the CMMC (Cybersecurity Maturity Model Certification) was released in January 2020, and now all contractors must achieve DoD certification before bidding on government projects.

These requirements can be confusing. CMMC certification is tier-based, meaning contractors must obtain the appropriate level based on the type of Controlled Unclassified Information (CUI) they handle. The DoD determines which level applies to each contractor.

Understanding the required DoD certification level is the first step. Once you know your level, you can take the necessary steps to meet compliance requirements and maintain eligibility for DoD contracts.

In this guide, we’ll walk you through the process for CMMC DoD certification and explain why staying compliant is critical for contractors working with the Department of Defense.