Cybersecurity Maturity Model Certification

What is CMMC?

The Cybersecurity Maturity Model Certification is the government’s way of keeping tabs on the security of its potential defense vendors. It provides a mechanism for the DOD to ensure their vendors are ready to work with the department. It focuses on certifying the “maturity” and “capability” of each DOD vendor’s security processes, practices, and methods. It also helps set goals and priorities for them to make improvements. The DOD will add CMMC levels to each RFP, meaning vendors who don’t possess mature enough processes may not even be allowed to submit for that proposal.

How Does C’S|3 Approach CMMC Engagements?

The CMMC is based off of industry standards that we already use in our unique risk assessment scoring methodology. Overlaying your risk assessment results to the five CMMC levels, your organization will quickly be able to see where it stands in each of the levels. Knowing what level you want or need to be at and how you scored there, we’ll look to see where the gaps in compliance are- and then provide you with a roadmap and dedicated security resource to make sure you get to that point by the time the requirements take effect.

Start A Conversation

CMMC Levels

The most basic level of the CMMC, level one focuses on keeping Federal Contract Information (FCI) protected. Effectively, if you provide a good or service to the US Government, they may ask that you safeguard the contract information so that it stays confidential.

A step up from the basic safeguarding of contractual information, level two focuses on the documentation of policies and practices. It�s expected that level two contractors have a documented process for safeguarding information and that they practice those processes repeatedly.

Controlled Unclassified Information (CUI) is the emphasis for level three contractors. They�ll be expected to be able to develop and maintain a plan to mitigate threats that includes things like goals, project plans, resources, training, and more.

Level four is meant for measuring the effectiveness of the plan from level three. Level four contractors will review their security practices and find gaps they can improve or correct�increasing the protection of CUI and start reducing the risk of Advanced Persistent Threats (APTs).

Once the plan is in place and practiced, it�s reviewed, and the inefficiencies in the plan are identified, level five is the next step. Contractors in level five are expected to standardize and implement their plan and practices across the whole organization to further minimize APTs.


The CMMC was created by the US Department of Defense as a way to have more control over their vendor and contractor security.

The DOD is going to create 10 RFPs with CMMC requirements in June of 2020 and then will slowly roll them out to all RFPs by the year 2026.

If you�re a part of the DOD�s supply chain or if you�re a service provider for the DOD, this will need to be something you comply with. Every contract the DOD enters will eventually have CMMC requirements. It�s anticipated that 350,000 vendors down the supply chain of the DOD will be impacted by this.

There are 173 controls that will be assessed in CMMC Level Five and it contains all of the controls for levels one through four as well. The best way to ensure compliance with the CMMC model is figure out which level your contract is likely to require, conduct an information security risk assessment that maps to the standards/controls, and then work on remediating the control gaps.

CMMC Services


Risk assessments are the driving force behind all good information security programs. A C’S|3 risk assessment measures the administrative, physical, internal technical, and external technical components of your security program and maps those controls to CMMC standards. The result is a comprehensive risk score with remediation recommendations to improve your weakest areas.


Gap assessments are conducted with regulatory requirements in mind. We’ll take a look at where your security program is relative to the CMMC requirements, and then provide you with the appropriate adjustments needed for you to become compliant.


A security expert in your back pocket, virtual CISO (vCISO) engagements provide a dedicated security resource to your business to help grow its security program. A C’S|3 vCISO will conduct a risk assessment and develop policies, processes, and procedures to hit your security, compliance, and business goals.


A C’S|3 roadmap is a detailed plan to help your organization get from point A to point B. Each roadmap is based on the results of your risk and gap assessments and takes your business and security team’s goals and objectives into account. The result is a documented and provable process for improving your weakest security areas.