CMMC Certification Information

CMMC Phase 1 Implementation (Nov 10, 2025 – Nov 9, 2026) to focus primarily on CMMC Level 1 and Level 2 self-assessments.

https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/#accordion-0-toggle-7

Cybersecurity Maturity Model Certification (CMMC) is a framework residing within IT security. It was developed in cooperation with Carnegie-Mellon (University), Johns Hopkins (University), the Defense Industry Base (DIB), and the US Department of Defense (DoD). CMMC initially launched in a version 1.0, and has recently been replaced by, what is to be an expected final version (2.0) 

​Within CMMC Three Different Compliance Levels Exist. 

• Level 1, which is basic cyber-hygiene.
• Level 2 which requires a formalized security setup, tied together with supporting security plans.
• Level 3, which requires an advanced infrastructure, along with 24/7 monitoring.

Companies seeking eligibility for future DoD tenders will be met with a requirement of being CMMC Level 2.0 compliant. This applies not only to Primes but also to all subcontractors down the supply chain (flow down). Existing subcontractors will be, if not already required to be compliant with NIST 800-171, the same requirements on contract extensions.

 ​The final step of the implementation of CMMC is calculating the score of the implemented security elements. This score is to be registered with the Supplier Performance Risk System (SPRS) and is a requirement. DoD has access to all companies registering their score and is expected to use this when evaluating tenders. 

https://www.sprs.csd.disa.mil/

The DOW defines the required CMMC level on each specific tender in order to be contract eligible. Contracts where CUI (Controlled Unclassified Information) is being processed, will at minimum require a level 2, whereas contracts without CUI may only be required to be at level 1. It is worth noting that communicating FCI (Federal Contract Information), requires a level 1 certification. Companies only dealing with COTS (Commercial-Off-The-Shelf) are not expected to be CMMC compliant.

CMMC 2.0 is based on the NIST 800-171 framework, which originates from the protection of CUI (Controlled Unclassified Information). Companies already compliant with NIST 800-171 (DFARS 252.204-7012, 7019 & 7020) will be on fast-track with CMMC certification. With a full 110/110 implemented elements, the final path to CMMC certification is estimated to be 3-6 months. If no elements or experience with NIST 800-171 exist, implementation will soon take up to a year, in order top be level 2 compliant.

• Cybersecurity and Infrastructure Security Agency – Stop Ransomware: The U.S. Government's official one-stop location for resources to tackle ransomware more effectively.
• DoD Procurement Toolbox: A collection of tools and services to help you and your organization manage, enable, and share procurement information across the Department of Defense.
• NIST – Small Business Cybersecurity Corner: NIST’s Small Business Cybersecurity Corner is your go-to source for learning how to keep your data safe. You’ll find information on cybersecurity basics, training for you and your employees, a NIST Cybersecurity Framework quick start guide and more, all specifically geared toward small businesses. It also has up-to-date guidance for teleworking security, as that becomes a more common practice in small businesses everywhere.
• U.S. Small Business Administration – Strengthen Your Cybersecurity: SBA resource that provides an introduction to cybersecurity for small business.

• Center for Internet Security – Benchmarks: The CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently.
• Center for Internet Security – Critical Security Controls: CIS Controls v8.1 help you keep on top of your evolving workplace, the technology you need to support it, and the threats confronting those systems. It places specific emphasis on moving to a hybrid or fully cloud environment and managing security across your supply chain.
• Center for Internet Security – Hardened Images: CIS Hardened Images are virtual machine (VM) images that are pre-configured to meet the robust security recommendations of the associated CIS Benchmark. They provide users with a secure, on-demand, and scalable computing environment. CIS Hardened Images are available on major cloud service provider marketplaces.
• Center for Internet Security – Telework and Small Office Network Security Guide: This guide is meant to assist individuals and organizations in securing commodity routers, modems, and other network devices. Securing these devices is important as there are serious cybersecurity considerations surrounding the usage of network devices.
• Cybersecurity Hub White Papers: Cyber Security Hub provides enterprise security professionals with the most comprehensive selection of cyber security whitepapers from our own network or cyber security experts. All Cyber Security Hub members can research and be informed on a variety of topics through our collection of whitepapers.
• DISA – Security Technical Information Guide (STIG): This site contains the Security Technical Implementation Guides and Security Requirements Guides for the Department of Defense (DOD) information technology systems as mandated by DODI 8500.01. This guidance bridges the gap between the National Institute of Standards and Technology Special Publication 800-53 and risk management framework (RMF).
• DISA – Security Technical Information Guide (STIG): Document Library: Direct link to the STIGs document library
• Global Cyber Alliance – Cybersecurity Toolkit: This website provides free and effective tools you can use today to take immediate action to reduce risk for your business.
• SANS – Security Policy Templates: In partnership, the Cybersecurity Risk Foundation (CRF) and SANS have created a library of free cybersecurity policy templates to help organizations quickly define, document, and deploy key cybersecurity policies.

• DoD Cyber Exchange Training: Collection of cyber training courses and training aids provided by the DoD Cyber Exchange. It provides an overview of cybersecurity threats and best practices to keep information and information systems secure. 
• KnowBe4 – Security and Awareness Training: KnowBe4 is a large security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering.
• U.S. Department of Health & Human Service Security Awareness and Training: This resource provides general awareness and role-based information security training documents.