Cybersecurity Maturity Model Certification

Connect with us

Coalfire Federal is among the first to be certified as a Cybersecurity Maturity Model Certification (CMMC) Third Party Assessment Organization (C3PAO) and Registered Provider Organization (RPO) authorized by the CMMC Accreditation Body. We offer a suite of CMMC advisory and assessment services to help organizations prepare for and achieve their desired CMMC maturity level.

Ready to get started?

I need to become CMMC Certification Ready

CMMC requirements are exacting. Coalfire Federal can help you confidently prepare for certification in a cost-efficient manner and on your required timeline to become certification-ready. Our suite of services includes:

  • Boundary workshop to determine in-scope organizational and systems environment
  • Gap analysis to evaluate your current state against CMMC requirements.
  • Remediation planning and support to close existing gaps and achieve process maturity.

Learn more

I am ready to be CMMC Certified

Among the first C3PAOs authorized to perform CMMC assessments, Coalfire Federal has the knowledge and experience to understand and assess your environment, security controls, and business process against CMMC requirements. Coalfire Federal offers the following services:

  • Readiness review to explain the assessment process and documentation requirements.
  • Mock assessment to predetermine the likely outcomes of a CMMC assessment.
  • CMMC assessment to achieve certification.

Learn more

CMMC overview

The Department of Defense (DoD) has started the phased roll-out of its CMMC program. CMMC is intended to serve as a verification mechanism to ensure that Defense Industrial Base (DIB) companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

Whether a prime, subcontractor, or sub-tier supplier, every organization doing business with the DoD will need to be CMMC certified before being awarded a contract that has CMMC requirements.

How CMMC is different

CMMC and the Interim DFARS rule, which became effective November 30, 2020, address deficiencies in the NIST 800-171 framework and its enforcement that affected its ability to keep CUI, CDI and FCI secure. The changes affect both the DoD’s acquisition process and supplier requirements for doing business with the DoD. Most significantly:

  • No self-attestation and self-reporting. Organizations will no longer self-assess and report compliance. CMMC assessments are conducted by Certified Assessors (CA) affiliated with a C3PAO.
  • No more Plan of Action and Milestones (POAMs). CMMC requirements are pass-fail and cannot be satisfied by a POAM that promises to address a requirement in the future. All CMMC practices and process must be satisfied to achieve certification. Enforcing the same requirements for all bidders levels the playing field and makes security an incentive rather than a disincentive.
  • Maturity, not compliance. CMMC requires that organizations achieve and maintain cyber maturity commensurate with the sensitivity of information they exchange. Organizations can no longer think in terms of checking a box; instead they must focus on getting and staying secure.


CMMC Model 2.0

Maturity level certification considerations

Every organization that plans to renew a current contract, or bid on a new contract in the future, will need to be certified at one of the five maturity levels outlined above. The DoD will determine which maturity level is required to bid on each solicitation; therefore, organizations will need to determine which maturity level is needed based on the nature of the contracts and work they would like to pursue.

The maturity level for each organization will be validated by a C3PAO. Organizations will only be allowed to participate on contracts with a required maturity level equal to or less than their certified maturity level.


How to prepare for CMMC

  • Get started now! It can take time, resources, and investment to fully understand and implement good cybersecurity practices and become CMMC certification-ready.
  • Gain an understanding of the CMMC framework by reviewing resources from the CMMC Accreditation Body and FAQ.
  • Complete a CMMC boundary workshop and gap analysis to determine in-scope organizational and systems environment and evaluate your current state against CMMC requirements.
  • Get professional help. As a C3PAO and RPO, Coalfire Federal can offer both advisory and assessment expertise that will help your organization achieve CMMC certification.

Why choose Coalfire?

For nearly 20 years, Coalfire has provided commercial and public sector organizations, including the DoD, with industry-leading cybersecurity and compliance advisory services. We are a DIB organization and have worked with others across the DIB, assessing security posture and supporting NIST 800-171, ITAR, and EAR compliance programs. As one of the industry’s largest and most experienced risk management and compliance assessment organizations, Coalfire can provide the expertise and support to guide you successfully through the CMMC certification process.

Related services from Coalfire