Follow NCC Group Newsroom

Are you ready for the Cybersecurity Maturity Model Certification (CMMC)?

Blog post   •   Mar 27, 2020 14:28 GMT

Image sourced from

On January 31, 2020, the Department of Defense (DoD) publicly released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC provides a consistent cyber framework for vendors doing business with the DoD, and it will require a attestation and certification by a third-party assessor.

Put simply, the next time you bid on a contract, whether direct or as a sub, there will likely be a defined level of CMMC that you will need to qualify for the contract.

As with any new certification or framework, there is a lot of new information coming out and people are trying to understand how their business might be impacted. Where should you start?

But where should you start?

Get a head start on CMMC

We've prepared the following resources to get you up to speed on CMMC and all it will entail. 

  • Download"Guidance for the CMMC,” a guide providing insight into the CMMC and guidance for the nearly 300,000 companies that will need to certify to continue conducting business with the DoD.
  • Listen back to our CMMC webinar from NCC Group expert Jeff Roth. You’ll also get a pdf of the webinar’s slides.
  • Learn about our Gap Assessment, which will provide you with actionable insights and a CMMC roadmap to budget for by end of year 2020.

NCC Group’s Jeff Roth hosts a CMMC webinar

Jeff Roth, FedRAMP 3PAO Practice Director at NCC Group, has just hosted a webinar digging into the details around CMMC.

A few notable highlights from the webinar include:

  • All companies conducting business with the DoD—including subcontractors—must be certified.
  • The level of certification required will depend upon the individual contracts as defined by the U.S. Government Program Manager and/or Contract Officer.
  • There are 17 capability domains and 5 levels of maturity for cyber security maturity. CMMC adds domains and process maturity to NIST 800-171. To demonstrate maturity you will need to be certified by a CMMC Third Party Assessment Organization (C3PAO), which will be new territory for many suppliers.

While there is already a CMMC Version 1.02, it did not bring about any notable changes. That said, it’s highly likely that CMMC and its requirements will adjust and evolve from where they are today. So, it’s important that you keep a solid bridge of communication with your partners.

Aside from their public presentations, The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a CMMC website that provides additional background on the proposed CMMC, including a list of FAQs and real-time updates around the certification.