What is CMMC?

(Cybersecurity Maturity Model Certification)

    Request A Free

    In the current digital age, cybersecurity isn’t a luxury – it’s a necessity. And for companies who are a part of the Defense Industrial Base (DIB) working in partnership with the DoD, it shortly will also be a requirement to do business with any DoD contracting office. 

    With the passing of the Cybersecurity Maturity Model Certification (CMMC), any company working with the DoD will be required to meet a certain standard of cybersecurity verification in order to win — or even bid on — contracts, whether as a prime or sub-contractor. 

    This regulation comes from the fact that over the past several years, billions of dollars have been lost in intellectual property theft from defense contractors working with or for DoD program and from outgrowing of the knowledge that without a solid cybersecurity foundation, all documents, assets, information and networks of contractors and the organizations that they work with are put at risk.

      Request A Free

      What is CMMC?

      What is CMMC?

      CMMC — or the Cybersecurity Maturity Model Certification — is the newest verification standard from the DoD used to gauge and verify the extent of contractors’ and subcontractors’ cybersecurity infrastructure to adequately protect Controlled Unclassified Information (CUI) as well as Federal Contract Information (FCI). It combines, enforces and builds upon past regulations to create an updated framework for organizing cybersecurity practices and procedures across industries with the aim of creating consistent, repeatable instances of high-quality cybersecurity capabilities and practices.


      Examples of some of these requirements and practices include documenting security measures, reporting malicious events that either affect the contractors’ ability to perform the requirements or that involve CUI and establishing controlled access to confidential documents.

      How does NIST 800-171 compare to CMMC?

      In a nutshell, CMMC takes requirements and practices from NIST 800-171 (as well as other past regulations), builds upon them, and organizes them in a tiered maturity approach, making the adoption of these regulations easier to understand.

      What is CMMC?

      Who Does CMMC Apply To?

      Whether you’re a company working with the DoD for the first time or aiming to continue your current contract, all companies and contractors are required to be CMMC compliant and certified here shortly. Contractors and subcontractors with the DoD are obligated to meet CMMC compliance standards if they wish to bid on contracts within the next few years.


      Learn more about how to get started with CMMC Level.

      What Are the Levels of CMMC? 

      In a nutshell, the various levels of CMMC compliance range from simply practicing basic cybersecurity to being proactive and actively looking for ways to improve and safeguard your cybersecurity network. Depending on the type of CUI and FCI your company has access to, how involved in DoD operations your company is or what your company’s current contract states, you will be required to meet a certain level of CMMC compliance or to comply with NIST 800 171.

      CMMC Level I

      Basic Cyber Hygiene | Basic processes are performed and best practices are followed.

      CMMC Level II

      Intermediate Cyber Hygiene | Security processes and practices are documented and followed.

      CMMC Level III

      Good Cyber Hygiene | Cybersecurity efforts are documented, practiced and managed by professionals.

      CMMC Level IV

      Proactive Cyber Hygiene | Professionals review and are proactive against possible cybersecurity threats.

      CMMC Level V

      Advanced Cyber Hygiene | Plans are in place to scale and optimize cybersecurity across business units.

      How does my business prepare to become CMMC compliant?

      To start your company’s path towards compliance, do an internal audit of your company’s cyberinfrastructure using the general outline of CMMC compliance regulations or by taking this survey. This will give you a good starting point for where your company will need to devote its cybersecurity efforts. From there, it’s important to understand what the cost and timeline will be for acting on the gaps identified during your internal audit.


      Oftentimes, the solutions and services need to become and stay compliant are more than small businesses can handle, making off-loading the bulk of the work to third-parties a more cost-effective option.

      Ready to Get Started on Safeguarding Your Information? 

      As the world’s threats evolve, so too must the world’s defenses. To meet these growing threats in a manageable and cost-effective way, Hyper Vigilance has created tailored solutions designed to fill the gaps in your company’s cybersecurity setup and get you prepared to become CMMC compliant. Get in contact with the experts at Hyper Vigilance for a free cybersecurity consultation and get your business on the path towards compliance.