cybersecurity maturity model certification and audit logo with DFARS and NIST 800-171

Resources to get started with CMMC

Check the menu above for dozens of articles about CMMC, how to prepare your company, and how to become an assessor yourself.

Official DoD homepage for CMMC

Official homepage of the CMMC Accreditation Body

DFARS Cybersecurity FAQs (Official DoD guidance about 800-171 and DFARS)

FAQ for Organizations Seeking Certification (common mistakes)

Security policy templates, training, and tools

CMMC Scope – are you ready for an assessment?

Glossary of CMMC terms and key players

Where is the Easy Button for CMMC? Why MSPs may be the solution

Index of all articles on this site

DoD to contractors: Your cybersecurity is not good enough

The Cybersecurity Maturity Model Certification (CMMC) is an initiative lead by the Office of the Assistant Secretary of Defense for Acquisition. This is an office in the Department of Defense (DoD) which helps set policy for DoD contract requirements.

DoD contractors who handle Controlled Unclassified Information (CUI) are already required to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices. However, as pointed out by Ms. Katie Arrington during the CMMC Listening Tour this year, self-certification is not working. DoD contractors have been successfully targeted by cyber adversaries because they haven’t fully secured their networks.

To force DoD contractors to implement cybersecurity, the CMMC will require many DoD contractors to get an audit and certification from a third party auditor if they have CUI on their information systems.

We talk about 800-171 too!

Although this website is named “CMMC Audit”, almost all our articles are also relevant to NIST SP 800-171 and DFARS 252.204-7012 compliance. Check our NIST 800-171 menu above for specific information about these current requirements. Articles that discuss CMMC Level 2 or Controlled Unclassified Information will be helpful for your 800-171 journey today.

What you need to know about CMMC

CMMC enforcement timelines

The current timelines have shifted right significantly since last year. As of April 2021, the best guess (totally a guess) is:

  • Now: One Pilot contract is expected to have CMMC Level 3 requirements in its Request For Proposal (the Request for Information states so)
  • Soon: Final DFARS rule enforces CMMC rollout across defense contractors
  • Late 2021: A handful of CMMC audit organizations are approved to begin work.
  • Late 2021: Certified CMMC Training and exams are available to public
  • Early 2022: 10-20 CMMC assessments have been performed against defense contractors (focusing on “Pilot contract” bidders).
  • Mid 2022: A few Pilot contracts requiring CMMC have been awarded (affecting 3-40 primes and subs).
  • Mid 2022: Provisional Assessors lose their ability to work, transition to Certified Assessors if they can pass training and exams
  • Mid 2022: Possibly up to 40 CMMC audit organizations are approved, performing perhaps 100 audits per month.
  • Mid 2023: 1000 assessments have been performed against defense contractors ( 1% of total )
  • Gradual and accelerating expansion over time.

Update in April 2022: Well, that didn’t happen on schedule. Basically nothing has actually happened since this time last year, except the requirements for CMMC Level 2 were made significantly easier.

CMMC levels and requirements

The DoD recognizes that their contracts have different risk profiles, so each RFP will list a CMMC level requirement from 1-3. Having proof of compliance at that level would be a requirement to even submit a bid.

The lower level (1) applies to DoD contractors who don’t deal with Controlled Unclassified Information (CUI). I expect most resellers will fit into this category. Other than purchase orders and possibly human resources information, they don’t hold government information on their corporate networks. The security requirements for these levels are much less stringent.

In the middle level (2), DoD contractors handle CUI. This is information like schematics for DoD equipment. Data which lets adversaries reverse-engineer or learn about military capabilities. For example, a shipyard might have maintenance plans for submarine equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations.

At the highest level, (3), the CUI being protected is high stakes. These networks will be targeted by cyber adversaries. Examples of this information would be weapon test results or detailed manufacturing schematics. Securing your network up to level 3 is likely to be very expensive.

For more details about the CMMC as an overall program, see CMMC Basics – the Full Details

Does CMMC apply to your business?

This infographic describes different types of sensitive but unclassified Federal data and their related cybersecurity requirements.

Infographic showing relationship of FCI CUI CDI FOUO and non-federal data to CMMC and DFARS

Are you just looking for a CMMC audit provider? 

Right now, no company is able to perform CMMC audits (the CMMC is still in development). The sponsor of CMMC Audit (Kieri Solutions) is helping companies with 800-171 compliance now and has started the process to become an assessment organization for CMMC. Kieri Solutions is building a wait-list for audits1. Other audit providers will be listed on the CMMC accreditation body website as they are approved.

Are you just looking for help preparing for the CMMC? 

We encourage you to reach out to the sponsor of , Kieri Solutions, if you like what you see on this website. At the least, they are happy to chat for 30 minutes and give you free advice. is not a representative of the Department of Defense, the CMMC Accreditation Body, or the CMMC Assessors and Instructors Certification Organization. This website is meant to be community resource for CMMC audit (or assessment!) preparation.