Compliance Standards

The Cybersecurity Maturity Model Certification (CMMC certification) is designed to simplify compliance for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Department of Defense (DoD) supply chain. For a detailed explanation of what qualifies as CUI, refer to the Organization Index Grouping of Defense.

Currently, Draft v0.7 of the CMMC is available, with the final version (v1.0) expected in January 2020. Companies are encouraged to review v0.7 to begin preparing for the level of DoD CMMC certification required for project bids.

Draft v0.7 is accessible online in its entirety. Below is a concise summary of its contents, along with insights from Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, as presented in her webinar “What Contractors Need to Know About DoD’s CMMC” (July 17, 2019). Note: You must be signed in to view the webinar.

During the webinar with the Professional Services Council, Katie Arrington highlighted that losses from inadequate cybersecurity controls leading to CUI breaches amount to over $600 billion annually. While achieving DoD CMMC certification may incur costs, the long-term savings outweigh these expenses. Additionally, the government considers CMMC certification costs as allowable expenses in its bidding process. The Request For Information (RFI) and Request For Proposal (RFP) Sections L and M outline the required level of CMMC certification, which can determine eligibility for project bids.

If your organization plans to work with the Department of Defense (DoD), understanding CMMC 2.0 requirements is the first step toward achieving compliance. These requirements are designed to protect sensitive federal information and are organized into three maturity levels, each with increasing cybersecurity expectations:

Level 1 – Foundational
Focuses on basic safeguarding practices to protect Federal Contract Information (FCI).

Level 2 – Advanced
Includes more detailed requirements aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

Level 3 – Expert
Represents the highest maturity level, emphasizing advanced cybersecurity practices and alignment with DoD’s most stringent security requirements. This beginner’s guide explains what each CMMC 2.0 level means and outlines how organizations can start preparing for compliance.

Companies seeking lucrative contracts with the US Department of Defense (DoD) need to keep their cyber defenses up to date. That’s why the final two CMMC Level requirements focus mainly on advanced persistent threat solutions, addressing the biggest and most complex threats to the Defense Industrial Base (DIB) sector. 

Most organizations fail CMMC compliance at Level 2 not because their security controls are weak, but because their documentation doesn’t clearly prove the controls exist, function correctly, or are consistently followed.
Many teams underestimate this critical detail.
Documentation isn’t just “paperwork” , for CMMC compliance, it is the audit itself. If you can’t show a repeatable process, policy, or record on demand, assessors will likely mark controls as Not Met.
In this article, we’ll explain why documentation is often the silent deal-breaker for CMMC Level 2 and share practical steps to fix it quickly.