By Greg Kent

In response to rising levels of data theft from contractors in the Department of Defense (DoD) supply chain, the Pentagon has announced the development of a program: the Cybersecurity Maturity Model Certification (CMMC). The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to create a unified standard for cybersecurity for all DoD contracts. The CMMC framework is expected to be released in January 2020.


The new certification builds upon the current cybersecurity standard NIST SP 800-171 which falls under the DFARS clause 252.204-7012. CMMC will rely on numerous frameworks, including NIST 800-171, ISO 2700, and FedRAMP. It identifies five levels of security certification for supply-chain contractors, ranging from “Basic Cyber Hygiene” to “State of the Art.” The required CMMC level for a contract will be published in RFP sections L & M.  CMMC levels are:

  • CMMC Level 1 – Basic Cyber Hygiene
  • CMMC Level 2 – Intermediate Cyber Hygiene
  • CMMC Level 3 – Good Cyber Hygiene
  • CMMC Level 4 – Proactive
  • CMMC Level 5 – Advanced/Progressive/ State-of-the-Art

Many contractors have struggled to comply with NIST 800-171 self-certification under previous DFARS  regulations and are now faced with even more stringent DoD scrutiny of their security controls. SecureIT has extensive compliance and audit experience to help you comply with CMMC. Our security experts provide guidance, training, and tools that support cost-effective compliance efforts to help DoD contractors maintain contracts and win new business. SecureIT provides practical CMMC compliance expertise targeted to the specific needs of small and mid-sized businesses.