Skip to content
 Image sourced from
Image sourced from

Blog post -

Are you ready for the Cybersecurity Maturity Model Certification (CMMC)?

On January 31, 2020, the Department of Defense (DoD) publicly released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC provides a consistent cyber framework for vendors doing business with the DoD, and it will require a attestation and certification by a third-party assessor.

Put simply, the next time you bid on a contract, whether direct or as a sub, there will likely be a defined level of CMMC that you will need to qualify for the contract.

As with any new certification or framework, there is a lot of new information coming out and people are trying to understand how their business might be impacted. Where should you start?

But where should you start?

Get a head start on CMMC

We've prepared the following resources to get you up to speed on CMMC and all it will entail. 

  • Download"Guidance for the CMMC,” a guide providing insight into the CMMC and guidance for the nearly 300,000 companies that will need to certify to continue conducting business with the DoD.
  • Listen back to our CMMC webinar from NCC Group expert Jeff Roth. You’ll also get a pdf of the webinar’s slides.
  • Learn about our Gap Assessment, which will provide you with actionable insights and a CMMC roadmap to budget for by end of year 2020.

NCC Group’s Jeff Roth hosts a CMMC webinar

Jeff Roth, FedRAMP 3PAO Practice Director at NCC Group, has just hosted a webinar digging into the details around CMMC.

A few notable highlights from the webinar include:

  • All companies conducting business with the DoD—including subcontractors—must be certified.
  • The level of certification required will depend upon the individual contracts as defined by the U.S. Government Program Manager and/or Contract Officer.
  • There are 17 capability domains and 5 levels of maturity for cyber security maturity. CMMC adds domains and process maturity to NIST 800-171. To demonstrate maturity you will need to be certified by a CMMC Third Party Assessment Organization (C3PAO), which will be new territory for many suppliers.

While there is already a CMMC Version 1.02, it did not bring about any notable changes. That said, it’s highly likely that CMMC and its requirements will adjust and evolve from where they are today. So, it’s important that you keep a solid bridge of communication with your partners.

Aside from their public presentations, The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a CMMC website that provides additional background on the proposed CMMC, including a list of FAQs and real-time updates around the certification.


About NCC Group

NCC Group exists to make the world safer and more secure.

As global experts in cyber security and risk mitigation, NCC Group is trusted by over 15,000 clients worldwide to protect their most critical assets from the ever-changing threat landscape.

With the company’s knowledge, experience and global footprint, it is best placed to help businesses identify, assess, mitigate and respond to the evolving cyber risks they face.

To support its mission, NCC Group continually invests in research and innovation, and is passionate about developing the next generation of cyber scientists.

With over 1,800 colleagues in 12 countries, NCC Group has a significant market presence in North America, continental Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia and Singapore.

Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400