Cybersecurity Maturity Model Certification (CMMC)

Version 1.02 published March 18, 2020

What do I need to know about the CMMC?

  • The government will determine the appropriate level of CMMC (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
  • Yes, all companies doing business with the Department of Defense will need to obtain a CMMC certification (even sub-contractors).
  • The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
  • Your certification level will be made public, however details regarding specific findings will not be publically accessible. The DoD will see your certification level.
  • Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

Read More About the CMMC

Qualifying CMMC Auditors in the Age of COVID-19

Written by the President of CMMC Consulting LLC, this article proposes one way the CMMC AB could qualify enough CMMC auditors to meet the demand.


"The new reality created by COVID-19 has caused even the oldest institutions to reconsider how they currently conduct business, and the CMMC AB should similarly adjust. There is still time to make these changes, and the CMMC AB should strongly consider this alternate path to qualifying auditors. Creating a CMMC Auditor certification will create a larger auditor workforce in a shorter amount of time, and has the ability to ensure a more highly qualified auditor workforce than CMMC AB auditor training alone can provide."

What CMMC will mean for defense contractors

"She [Katie Arrington] also stressed that the new approach is should allow contractors to command a higher price for their more-secure services. “Because we're saying security is an allowable cost and are you putting this in a context where I'm putting the CMMC as a technical requirement, I understand that there's an assumed cost to it,” 


“I think that there's a lot of reciprocity to be had there because it's an investment that you've already made," Arrington said during a panel discussion on advanced threat detection.  The challenge is when we get certified you have to ensure for the CMMC, those POAMs, those plans of action are closed so that we can validate.”

Will DOD's new cyber rules crush small business?

"Contractors will soon have to get cyber certified to do business with the Defense Department. But there's early concern that the Cybersecurity Maturity Model Certification framework would block DOD's efforts to leverage startups."

"Katie Arrington, DOD's chief information security officer for the Office of the Undersecretary of Defense for Acquisition and Sustainment, told reporters at the CMMC draft release Sept. 4 that it should only cost a few thousand dollars. Turner said that estimate was "utterly foolish" and that the new certification could "likely be an impediment" to small businesses and startups simply due to resource constraints."