Common Cybersecurity Maturity Model Questions from our Customers Don't worry you're not alone!

Why do I need to seek CMMC certification?

If your business is in the defense industrial base supply chain you will need to seek certification to have the ability to sign new contracts or continue supplying product on existing agreements. In other words, if you supply product directly to the government, to top tier suppliers like GE or Raytheon, or you are lower down the supply chain – You will need to start planning to seek CMMC compliance.

When do I need to seek CMMC certification?

Deadline is 2025 which means you should plan to seek an audit from a C3PAO, Third-Part Assessor Organization, through the CMMC-AB marketplace before the end of 2025. Make sure you don’t wait for the last minute so you have time for audit finding remediation. 

Why is it a big deal now if DFARS and NIST publications have been around for years now.

CMMC introduces the need to seek an audit in order to receive a certificate for continuing being a US government subcontractor. Whereas before, cyber security compliance operated as a honor system in a self-assessment model. 

What if I fail the Audit?

You will have 60 days to resolve the findings from the audit via a corrective action report and seek remediation from the same auditing firm.

Is this certification a one and done?

No, you need to get re-certified every 3 years. Cyber security in general is a perpetual effort which requires a continuous improvement mentality.

What’s the best place to start getting compliant?

CMMC requirements are mostly made up from NIST 800-171 V2 publication which can be found here -> SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC ( Start with a gap analysis using their spreadsheet to track where you are and where you need to be. The CMMC-AB also has a 10 step process on their website you should follow.

What CMMC maturity level should I seek certification for?

For best practice, no matter what industry your business is in, you should strive for CMMC ML-1 which gives you a basic cyber security hygiene.

If you are planning to control CUI data in future contracts – CMMC ML-2 is a good transitionary framework to prep for getting ML-3 compliant.

Currently handling CUI data? ML-3 is what you should strive for. This is a very common maturity level for mid-teir suppliers.

If you are a top tier supplier in the defense industrial base ML-4 &ML-5 should be considered.

We are a small Manufacturing company with a lean I.T. staff and tight budget – How do others in my situation plan to become compliant?

Firstly, you’re not alone. Establishing a systems boarder is critical for any size business to control cost. Working with your executive team, contracts team, legal, and compliance personnel to understand CUI scope. If your business only has a handful of contracts, you’ll find it not to be cost prohibitive. If the majority of your work deal is CUI, and you have a small internal team – We are here to help, send us an email and we’ll help establish your plan of action and milestones. 

What is CUI & how do I determine it’s on my network?

Controlled Unclassified Information, in other words, sensitive data that’s specifically marked by the DoD which isn’t classified information. ITAR data is a good example of this, but you should first ask yourself these 3 questions 

  1. Where do you get your contracts and technical drawings.
  2. Where do you store them on your network or cloud service.
  3. Where your employees send them.

You’ll need to work with your customer-facing employees to understand what contracts have CUI markings (Controlled Unclassified Information (CUI) | GSA). Microsoft Active Directory Rights Management Service, ADRMS, or Microsoft Azure Information Protection, AIP, are a couple solutions that can help you identify, mark, and safe-guard this data with

Maturity Levels (ML)

Level 1

17  Practices

Basic cyber hygiene – All businesses should use for best practices.

Level 2

55 Practices
34 Processes

Intermediate cyber hygiene- Used to transition business to protect CUI data.

Level 3

58 Practices
17 Processes

Good cyber hygiene – Consists mostly of NIST 800-171 & DFARS frameworks. If you manage CUI data, this is a mandatory level to reach.

Level 4

26 Practices
17 Processes

Proactive Cyber Hygiene- Focused on reducing risk of advanced persistent threats

Level 5

15 Practices
17 Processes

Progressive Cyber Hygiene – Advanced cyber security framework that is highly optimized for mitigating advanced persistent threats.


Commonly used Acronyms


Cybersecurity Maturity Model Certification  – Accreditation Body


Certified Professional (CMMC)


Certified Assessors (CMMC)


Organization Seeking Certification


International Traffic in Arms Regulations


National Institute of Science and Technology


Third-Party Assessor Organization (CMMC)


Controlled Unclassified Informatin


Registered Provider Organization


CMMC-AB Approved Training Material


Licensed Trained Professional (CMMC)


Registered Practitioner (CMMC)


Federal Information Processing Standards


Data Loss Prevention or Data Leak Prevention


Security Information and Event Managment


System Security Plan


Federal Risk and Authorization Management Program


Federal Contract Information


Export Administration Regulations


Access Control Maturity Capability


Role-based access control


Defense Industrial Base


Federal Risk and Authorization Management Program


Federal Contract Information

10 Steps to Certification

Step 1

Understand the CMMC Requirements

Step 2

Scope your business’s cyber security foot print

Step 3

Identify what maturity level you are seeking.

Step 4

Perform a gap analysis based off your ‘Step 2’ scope

Step 5

Work to close your previously identified gaps (Longest Step)

Step 6

Find a C3PAO in the CMMC-AB marketplace

Step 7

Conduct the assessment with the choosen C3PAO

Step 8

Remediate any findings within 90 days

Step 9

Audit is submitted to CMMC-AB and reviewed

Step 10

Obtain your 3 year certification

CMMC Practices and levels - Stacked Bar Chart

Need more help?


We can start you down the Gap analysis and POAM path and we’ve partnered with the best managed services providers for getting more into the weeds. Please send  inquiries to to get started.

We’ve also put together an easy to read, follow, and edit plan of action and milestones spreadsheet to help you start your journey. Please mention this in your inquiry and we’ll be happy to provide it to you and answer any questions.