CMMC — Cybersecurity Maturity Model Certification
Readiness assessment and certification preparation for the U.S. Department of Defense supply chain — Level 1, Level 2, and Level 3 of the CMMC 2.0 model.
What CMMC Is
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense framework for verifying that contractors and subcontractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement an appropriate set of cybersecurity controls. CMMC 2.0 aligns its requirements with NIST SP 800-171 (Levels 2) and NIST SP 800-172 (Level 3). Certification is performed by accredited Third-Party Assessment Organisations (C3PAOs).
The Three Levels
- Level 1 — Foundational (FCI): 17 basic safeguarding practices. Annual self-assessment.
- Level 2 — Advanced (CUI): 110 practices aligned with NIST SP 800-171 Rev. 3. Third-party assessment by a C3PAO every three years.
- Level 3 — Expert (Critical CUI): Level 2 plus a subset of NIST SP 800-172 enhanced requirements. Government-led assessment every three years.
Engagement Scope
- CUI scoping and asset categorisation — identification of CUI assets, security protection assets, contractor risk-managed assets, and out-of-scope assets
- Gap assessment against the applicable level using the CMMC Assessment Guide methodology
- System Security Plan (SSP) development
- Plan of Action and Milestones (POA&M)
- Control implementation — policy, procedure, and technical configuration support
- Pre-assessment by independent senior consultants prior to C3PAO engagement
- C3PAO liaison and remediation support during the formal assessment
Reciprocity and Adjacent Frameworks
CMMC Level 2 controls are drawn from NIST SP 800-171. Organisations with mature ISO/IEC 27001 implementations can leverage a substantial portion of their existing control evidence — we provide control-mapping that quantifies the reuse and identifies the residual gap.