The words "The CMMC Model: Who needs certified and how?" overlaid on a photo of the Pentagon.

Who Needs CMMC Certification? Secure Government Contracts With 5 Levels of Compliance8 Min Well Spent

Government contracts can be some of the most lucrative jobs a business can secure, but they are also subject to strict security guidelines. Due to increasing and evolving cyber-threats, compliance guidelines have only gotten stricter in recent years.

In 2020, the United States Department of Defense (DoD) began rolling out the Cybersecurity Maturity Model Certification (CMMC), with the intent of it being fully instituted by 2026.

The certification is an attempt to enforce the regulations set in place by the Defense Federal Acquisition Regulation System (DFARS).

Achieving full CMMC certification is a complex process that requires lengthy preparation to implement advanced cybersecurity measures. A company’s setup must go through a review from accreditation bodies to be able to bid on certain DoD contracts.

Because of the lengthy certification process, it is recommended businesses affected by CMMC begin preparation immediately.

Investing in your cybersecurity is always a good idea, and the investment to meet CMMC standards could easily be worth it. In this post, we will explain what CMMC is in detail, as well as how and when to get certified.

If your business needs extra help meeting and maintaining compliance standards for your industry, IT Support Guys can help. Call us today at (855) 4IT-GUYS, or schedule an appointment with our compliance specialists today.

Table of Contents
    Add a header to begin generating the table of contents
    What is CMMC?

    An aerial view of the Pentagon, where the United State Department of Defense operates, overseeing CMMC.

    CMMC is an expansion of the Defense Federal Acquisition Regulation Supplement (DFARS), as the DoD looks to limit the possibility of a cybersecurity breach along the more than 300,000 companies in its supply chain.

    DFARS was intended to “guarantee the integrity” of Controlled Unclassified Information (CUI), Federal Contract Information (FCI), or any other sensitive government data. 

    Its reliance on self-assessments by vendors proved ineffective, and CMMC institutes mandatory assessments to ensure that best practices are in place.

    The CMMC initiative was released on January 30, 2020, using input from university research centers and federally funded research. 171 best practices were deemed necessary for inclusion and are spread out over 5 certification levels.

    What is Controlled Unclassified Information (CUI)?

    A person looking at federal contract information (FCI) in a file folder.

    Controlled Unclassified Information is defined by the government as information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

    More plainly, CUI is information that has been deemed sensitive by legislation and must be protected by the agencies holding it. 

    Because agencies like the DoD must put measures in place to protect this data, so too must contractors and subcontractors.

    What is Federal Contract Information (FCI)?

    Two people viewing a contract before signing it.

    Federal Contract Information is information provided by or generated for the government under contract and is not intended for public release in a reasonable amount of time.

    Basically, any information supplied by the government to a contractor, or supplied to the government by a contractor currently under contract. 

    Any information held primarily by the government or researched and compiled under a government contract is FCI.

    Who needs CMMC certification?

    CMMC was officially rolled out on November 30, 2020, but is only being enforced on some new contracts. 

    The number of contracts that will require CMMC certification will increase over time, and the level of certification will be included in requests for proposals (RFPs).

    By 2026, any company entering a contract with the DoD must be CMMC certified on some level. DoD requests will be made requiring various levels of certification, with some requiring higher levels of certification and some lower.

    If a company does not handle any CUI, it must still be certified at Level 1.

    Any company that has an existing contract with the DoD must complete a self-assessment and submit it to the Supplier Performance Risk System.

    What are the 5 levels of CMMC certification?

    CMMC certification happens at 5 separate levels, and companies need to be certified at each level individually. 

    As mentioned above, contract opportunities will be listed with varying levels of certification necessary to be selected.

    A chart showing the CMMC model, with 5 levels of certification.

    1. “Performed” – basic cyber hygiene

    The first level of CMMC certification includes 17 basic and universally accepted best practices. 

    These standards are meant to create a foundation for the other four levels, and they should likely be implemented by mature businesses anyway.

    1. “Documented” – intermediate cyber hygiene

    Level 2 deals largely with the documentation of all practices that have been implemented. 

    It also adds multi-factor authentication for access to CUI data as one of the 55 additional practices added after level 1.

    Documenting processes enables organizations to repeat them easily, adding a level of process maturity.

    1. “Managed” – good cyber hygiene

    Level 3 adds 58 more cybersecurity practices, mostly focused on managing processes effectively. 

    This includes reviewing adherence to policies, as well as creating and maintaining a plan going forward.

    The planning process would include stating the missions and/or goals of a business’s approach to cybersecurity.

    A plan would also include establishing required training and delegating specific roles for the upkeep of cybersecurity processes.

    1. “Reviewed” – proactivity

    By level 4, organizations will have enhanced their threat detection and response, with the ability to adapt to the changing landscape of cyberattacks. Certified level 4 companies will be near the cutting edge of cybersecurity.

    These 26 additional practices will also add processes that measure the performance of what is already in place.

    It also enables organizations to take corrective action when an issue is flagged.

    1. “Optimizing” – advanced and progressive measures

    The final 15 best practices of CMMC put businesses at the forefront of detection and responding to cyberattacks at machine speed.

    At level 5, companies have standardized and optimized the implementation of all measures, company-wide.

    When must my business be CMMC certified?

    An accredited CMMC auditor certifying an assessment.

    Currently, select contracts issued by the DoD state a required CMMC certification level to apply, but not all contracts have a set requirement.

    By 2026, the DoD intends to issue all contracts with some level of required certification.

    How does my business earn a certification?

    A person holding a chart, about to perform a CMMC assessment.

    The certification process is expected to be lengthy, and the DoD recommends beginning planning for certification at least 6 months before your anticipated start date.

    While preparation will not take 6 months, this allows enough time for a certified assessment and the 90-day window to resolve any shortcomings that are found.

    It is best to over-prepare and have time before your start date than to scramble for compliance and lose a contract.

    Here are the recommended steps to earn certification:

    1. Identify the scope of your certification

    Businesses do not need to be certified in full, known as an enterprise certification. Single business units can be certified with a “program certification.”

    It is possible to have business units certified at different levels, too, though this might create unforeseen issues if departments cross over.

    1. Identify your desired maturity level

    As contracts are rolled out with varying levels of certification required, make sure to browse available opportunities to forecast possible types of contracts you may bid on in the future.

    Decide which aspects of your business require compliance, and which you would prefer were compliant as well. Then decide what level of certification makes sense for each business unit.

    Prepare for the level of compliance you expect to need over the next 3 years, as most certifications are given for 3 years.

    1. Align yourself to a framework

    When deciding how you want to prepare for your CMMC certification, it makes sense to align your buildout with one of the two major cybersecurity frameworks from the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO).

    ISO is the international standard for best practices with information security management systems, while NIST is a voluntary framework built by a non-regulatory government agency.

    ISO is recommended for more operationally mature companies who just need certification, while NIST is recommended for organizations who are just starting their cybersecurity build-out.

    You don’t have to choose between one or the other, as both frameworks will assist you on your way to full certification. Choosing one to align with will reduce inconsistencies on your way to compliance, however.

    1. Get a pre-assessment

    Getting a pre-assessment is not a requirement, but the option does exist. A pre-assessment allows you to better understand what you will encounter in a certified assessment.

    Organizations have two choices for a pre-assessment provider. A registered practitioner provider can guide you through the assessment a step at a time, or you can undergo a more standard pre-assessment through a certified third-party assessment organization (C3PAO).

    A pre-assessment is a great way to learn where your organization’s compliance is at that moment and can help reassess where you want to be by your assessment date.

    1. Fill any gaps

    If you chose to undergo a pre-assessment, now is the time to fill in any gaps that you found in your security. If you did not undergo a pre-assessment, make sure you do one last check before getting a certified assessment.

    1. Get a certified assessment

    If everything is in place, you are ready for your assessment. Businesses will choose a C3PAO from the CMMC Accreditation Board’s marketplace, and it will be up to the organization and C3PAO to coordinate an assessment.

    1. CMMC AB reviews submitted assessment

    Upon completion of the assessment, the C3PAO will create an assessment report to be submitted to the CMMC accreditation board. The assessment report will not be made public.

    1. 3-year certificate issued

    If no deficiencies were noted, the accreditation board will issue certification and submit it to the DoD. Generally, certifications are made for 3-year periods, though there are some exceptions.


    Cybersecurity is a crucial aspect of any business and bolstering your security further could put your business in exclusive company. 

    A CMMC certification will allow organizations to win lucrative government contracts, and with tightening restrictions, fewer businesses will be able to secure them.

    The journey to compliance is a long but worthwhile one. For those businesses needing certification to continue existing contracts, or those looking to win them in the future, instituting the correct practices may be difficult or confusing.

    IT Support Guys’ cybersecurity and compliance experts can be your guide toward the certification you need. If your business needs extra help meeting in reaching these goals, call us today at (855) 4IT-GUYS, or schedule an appointment with our compliance specialists today.