The CMMC clock is ticking...

Don't risk your ability to secure or renew DoD contracts.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) just launched in January 2020 with requirement for certification in effect by summer of 2020. Has your organization taken the proper steps to protect your Department of Defense (DoD) contract renewals and enable you to bid on future work?

Figure out where you stand with a pre-assessment to identify your level of maturity, boost your cybersecurity posture, and win more government contracts. Here is what you need to know about CMMC:

What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a DoD certification framework which measures a Defense Industrial Base (DIB) company’s ability to protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC will assess a company’s implementation of cybersecurity controls, practices and processes and assign a maturity level intended to rank the company’s security posture from “Basic,” (level 1) to “Highly Advanced/Progressive,” (level 5). Companies will be assessed across 17 domains including but not limited to access control, incident response, recovery and risk management.

Who does CMMC apply to?
Any contractor (prime or sub) doing business with the DoD will be required to comply with CMMC.

Whether you have a landscape company, a welding firm or build tactical weaponry for a warfighter via a DoD contract—your company will be required to comply with CMMC and maintain certification for the appropriate level. To achieve a specific CMMC level, each company will be required to meet the practices and processes defined for that level (as well as all levels below the level of pursuit), complete a third-party assessment and receive a certification for that level.

Why was CMMC created?
Per CCMC v0.7, The requirement for CMMC stems from ‘the theft of hundreds of billions of dollars of intellectual property due to malicious cyber activity’ caused by ‘poor cybersecurity maturity and ineffective implementation of controls necessary to protect sensitive data’. CMMC seeks to enhance the security, visibility, and situational awareness of the DIB and the 300,000 organizations that make up the DoD Supply Chain. The aggregate loss of CUI from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DoD is requiring the DIB sector to enhance its protection of CUI. Originally, DoD required compliance with NIST 800-171 which DIB members could self-certify. Through discovery and recent events, the DoD determined that the self-attestation and controls previously in place were lacking and therefore needed a new model. CMMC incorporates previous NIST requirements with newly defined domains and tiered level criteria. CMMC will require a prime or sub-contractor to document their cybersecurity controls, practices and processes and via CMMC; a third-party assessment organization (3PAO) must assess the organization and certify them for that level prior to renewals or go forward bid submissions.

When does CMMC go into effect?
The clock is ticking and preparation should begin today.

Version 1.0 was released January 31, 2020. 3PAOs will be trained as early as April/May 2020. CMMC certifications will appear in Requests for Information (RFI’s) by June 2020 and Requests for Proposal (RFP’s) as early as August/September 2020.

How do I prepare for CMMC?
If you are a direct government contractor or sub-contractor, it is best to begin with a pre-assessment to review your current security maturity level and identify gaps.

Depending on the pre-assessment findings; partner with a leading cybersecurity solution provider like Trustwave to assist you with improving your security posture and resolving gaps in controls, practices and processes. Once the gaps have been addressed, schedule an assessment with a 3PAO. Upon the completed and successful assessment, you will receive a certification attesting your level of security maturity which will in turn determine the contracts you can bid on going forward.

Get started with a Pre-Assessment.
Leverage Trustwave cybersecurity experts for a Security Maturity Pre-Assessment (SMA) to help you map NIST to CMMC and better understand the CMMC requirements. Complete the form or call (866) 659-9097.


Trustwave is seasoned in supplying cybersecurity solutions to federal agencies and is the preferred solution provider for database security to US government agencies. Trustwave is recognized by industry analysts as a leader in managed security services.