Cybersecurity Maturity Model Certification

Connect with us

Cybersecurity Maturity Model Certification (CMMC) is a requirement for all organizations within the supply chain to the United States Department of Defense (DoD), whether a prime contractor, sub-contractor, or sub-tier supplier. CMMC ensures that an organization has achieved the minimum threshold of cybersecurity necessary to be entrusted with the types of information they receive or handle.

As a Registered Provider Organization (RPO) providing advisory services to organizations preparing for CMMC and among the first to be named a CMMC Third Party Assessment Organization (C3PAO), Coalfire Federal offers a full suite of services to help organizations prepare for and achieve their required CMMC maturity level.

What do I need to know about CMMC certification?

I need to become CMMC Certification Ready

CMMC requirements are exacting. Coalfire Federal can help you confidently prepare for certification in a cost-efficient manner and on your required timeline to become certification-ready. Our suite of services includes:

  • Boundary workshop to determine in-scope organizational and systems environment
  • Gap analysis to evaluate your current state against CMMC requirements.
  • Remediation planning and support to close existing gaps and achieve process maturity.

Learn more

I am ready to be CMMC Certified

Among the first C3PAO candidates authorized to perform CMMC assessments, Coalfire Federal has the knowledge and experience to understand and assess your environment, security controls, and business process against CMMC requirements. Coalfire Federal offers the following services:

  • Readiness review to explain the assessment process and documentation requirements.
  • Mock assessment to predetermine the likely outcomes of a CMMC assessment.
  • CMMC assessment to achieve certification.

Learn more

CMMC overview

The DoD created CMMC to curtail the exfiltration and theft of sensitive defense information from contractor information systems. CMMC serves as a verification mechanism to ensure that Defense Industrial Base (DIB) companies implement adequate cybersecurity practices and processes to protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

In November 2021, the DoD announced changes to the CMMC program to facilitate its rollout and to reduce its business and cost impact to small businesses. CMMC version 2.0 consists of the security requirements from NIST 800-171 Rev2 and a subset of requirements from NIST 800-172. Key elements of CMMC 2.0 include:

  • Three CMMC Levels: Different levels of cybersecurity requirements based on the sensitivity of information received or handled.
    • Level 1: Basic safeguarding requirements for FCI
    • Level 2: Security requirements for CUI
    • Level 3: Security requirements for select categories of CUI
  • Assessments: Three levels of assessment based on CMMC level and procurement priority.
    • Self-Assessment, Self-Attestation: For Level 1 and for non-prioritized Level 2 procurements
    • Independent Third Party (C3PAO) Assessment: For prioritized Level 2 procurements
    • C3PAO and Government Assessment: Level 3 assessments will be conducted to the Level 2 baseline by a C3PAO, the remaining requirements will be assessed by the DoD
  • Limited Plans of Action and Milestones (POA&M): CMMC 2.0 allows POA&Ms to address certain non-critical practice requirements provided those POA&Ms are executed within 180 days of a contract award.
  • Heightened enforcement at all levels: To ensure compliance with CMMC as defined in the assessment criteria and assessment process, DoD is increasing the rate of systematic and random audits and will prosecute egregious offenders under the False Claims Act.
Whether a prime, subcontractor, or sub-tier supplier, every organization doing business with the DoD will need to be CMMC certified before being awarded a contract.
CMMC key on computer keyboard


CMMC Model 2.0

Maturity level certification considerations

Every organization receiving a contract renewal or a new award will need to be certified at one of the three maturity levels outlined above. The DoD will determine which maturity level is required to bid on each solicitation; therefore, organizations will need to determine which maturity level is needed and whether a self-assessment is sufficient based on the nature of the contracts and work they would like to pursue.


How to prepare for CMMC

  • Get started now! It can take time, resources, and investment to fully understand and implement good cybersecurity practices and become CMMC certification-ready.
  • Gain an understanding of the CMMC framework by reviewing resources from the CMMC Accreditation Body and FAQ.
  • Complete a CMMC boundary workshop and gap analysis to determine in-scope organizational and systems environment and evaluate your current state against CMMC requirements.
  • Get professional help. As a C3PAO and RPO, Coalfire Federal can offer both advisory and assessment expertise that will help your organization achieve CMMC certification.

Why choose Coalfire?

We understand cybersecurity and what the DoD expects from its contractors, sub-contractors, and suppliers. As a C3PAO, we understand CMMC requirements and how they are interpreted by the DoD. As an RPO we understand how to configure your environment and implement security tools to satisfy those requirements. We are a DIB organization – a participant not an observer. We have supported others across the DIB, assessing security posture and helping them achieve NIST 800-171, ITAR, and EAR compliance. As one of the industry’s largest and most experienced risk management and compliance assessment organizations, Coalfire can provide the expertise and support to guide you successfully through the CMMC certification process.

Related services from Coalfire

Contact us to improve your cybersecurity posture