The Facts about Cybersecurity Maturity Model Certification

Heard of Cybersecurity Maturity Model Certification (CMMC), but not sure if it applies to you or what is required?

Article By: Molly Shepard, Sec+ and Tim Schwamb, CISSP

The Cybersecurity Maturity Model aims to significantly enhance the cybersecurity and resiliency of its contractor network, creating a single cybersecurity standard for companies to meet. It ensures an appropriate level of cyber hygiene, resilience from threat actors, and resistance to information ex-filtration for a given contract.

What is CMMC?

CMMC is the Department of Defense's (DoD) new Cybersecurity Maturity Model Certification.

Why is the DOD doing this?

DoD is implementing the new CMMC framework to assess and enhance the cybersecurity posture of DoD contractors. Their intent is to verify companies have an appropriate level of cyber hygiene based on the criticality and sensitivity of the information they are entrusted at safeguarding, to include controlled unclassified information (CUI) and federal contract information. CMMC will replace the self-certification for compliance currently in place with NIST 800-171.

Do I really have to do this?

Yes, ALL companies doing business with the Department of Defense must obtain a CMMC certification. Each new contract will specify the certification level companies must meet to submit a proposal. For all new contracts starting in June 2020, you may be disqualified from participating if your organization is not certified at the specified level.

I'm a small bussiness, can I afford this?

The certification cost has not yet been determined. The cost will likely scale with the level requested. DoD has stated that the cost of certification will be considered an allowable, reimbursable cost as part of the contract and will not be prohibitive, even for Small Businesses. The working group developing and standing up the CMMC Accreditation Body is also working hard to ensure certification is affordable for businesses of all sizes.

Wat does it mean to be certified?

Your organization will coordinate directly with an accredited and independent third-party assessment organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on the level specified in the contract of interest, as well as your specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstration of the appropriate practices and process maturity.

I only do buesiness with Federal Agencies outside the DOD, does this apply to me?

Currently, CMMC will only be implemented within the DoD. However, other agencies such as DHS are very interested, and we believe other government agencies will begin to adopt it in the future.

How Can I help?

PCI brings several years of cybersecurity expertise, including experience helping small businesses become NIST 800-171 compliant. The PCI experts are up-to-date on the latest CMMC news and have been involved in shaping the CMMC model and accreditation process, so we know how to help you get certified. We provide certification consulting for an affordable cost in a short amount of time, with customized assistance based on your individual company needs.

We know this process can sound daunting, so for more information visit or contact us at to talk further.


Stay tuned for our next blog post ‘All About CMMC Levels’

Share this article

Share on facebook
Share on twitter
Share on linkedin
Scroll to Top