Cybersecurity Maturity Model Certification
The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification. This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-20201. The CMMC contains five levels, ranging from basic hygiene to state-of-the-art. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
1Ms. Katie Arrington OUSD(A&S), Professional Services Council “What Contractors Need To Know About DoD’s CMMC” Webinar, July 17, 2019
You’ll need to understand each requirement and generate a bunch of documentation.
Give us 30 days to show you how easy this can be.

It’s not cheating… it just feels like it.
We're kind of Policy Professionals

Platform subscriptions include 17 CMMC domain-specific policy templates pre-loaded into our policy generator .

You shouldn’t have to pay extra for this stuff.

Still not sure? We’ll send you one.
CMMC Model v1.02 Levels by the Numbers
Domains Capabilities Total Practices per Domain Practices per Level
Level 1 Level 2 Level 3 Level 4 Level 5
Access Control 4 26 4 10 8 3 1
Asset Management 1 2 0 0 1 1 0
Audit and Accountability 4 14 0 4 7 2 1
Awareness and Training 2 5 0 2 1 2 0
Configuration Management 2 11 0 6 3 1 1
Identity and Authorization 1 11 2 5 4 0 0
Incident Response 5 13 0 5 2 2 4
Maintenance 1 6 0 4 2 0 0
Media Protection 4 8 1 3 4 0 0
Personnel Security 2 2 0 2 0 0 0
Physical Protection 1 6 4 1 1 0 0
Recovery 1 4 0 2 1 0 1
Risk Management 2 12 0 3 3 4 2
Security Assessment 3 8 0 3 2 3 0
Situational Awareness 1 3 0 0 1 2 0
System and Comms Protection 2 27 2 2 15 5 3
Systems and Info Integrity 4 13 4 3 3 1 2
  Total Practices Per Level 17 55 58 26 15
Questions to consider when trusting
a cloud vendor with your data:
1. Is my data stored in a cloud that the US government trusts?
2. Is my data encrypted BEFORE being sent to the cloud vendor?
3. Could a compromise of the cloud vendor's database result in exfiltration of my unencrypted data?
CMMC Process Pyramid
What type of solution are you looking for?
I need a hassle-free tool to assess my environment and generate all of the CMMC documentation needed for an audit.
I need an assessment tool that I can use to audit other organizations.
The Assessment Platform drives your team forward through the CMMC assessment process, auto-generates all documentation, and allows you to share your assessment results with auditors.
I want to push a button to create a compliant cloud environment where I can store my Covered Defense Information (CDI).
A ComplyUp Cove™ is a protected, pre-configured, on-demand cloud environment built to comply with the requirements of the Cybersecurity Maturity Model Certification. Each Cove deployment includes a subscription to the Assessment Platform, which is automatically populated with technical compliance details for each CMMC requirement.
ComplyUp CMMC Pyramid
A. Contractor performs self-assessment to identify which level (if any) they currently meet.
B. Contractor searches ComplyUp marketplace for CMMC pre-audit support.
C. Contractor addresses deficiencies (software purchases, system configurations, third-party service providers).
D. We are unsure of what the process looks like for undergoing an audit by an accredited C3PAO. We do know that the DoD has signed a Memorandum of Understanding with a non-profit organization acting as the CMMC Accreditation Body, however, that organization has not provided specific information on how you will be paired with or go about selecting an accredited auditor.
E. We are unsure of what the certification process looks like for CMMC. The Accreditation Body has not released specific information on how to obtain certification through an accredited auditor. We do know that you will not be required to prove certification in order to bid on an RFP but instead will need to prove certification level at the time of award.
Contract Award Process
1. Contracting Officer reviews contract requirements to determine which CMMC Level will be required
2. RFI posted including required CMMC level for bidding (may contain various levels to account for subcontracting flow-downs)
3. RFP released
4. Contractors submit proposals for RFP
5. Contracting Officer reviews proposals, awards contract, and CMMC certification must be presented at time of award by Contractor
Contact us to find out which solution best fits your needs.

Subscribe Now for Regulation Updates

Want to keep track of the latest CMMC developments?
We're not spammy, and we'll never sell your information. Promise.

CMMC Frequently Asked Questions
By Contractors

The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC is not entirely derived from NIST 800-171; rather, it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.

Yes. Version 1.02 is available at

Yes. Many of the same controls that are in NIST 800-171 will be included in CMMC along with controls from other standards such as ISO, FedRAMP, and various NIST frameworks.

CMMC also requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.


Existing DoD contracts that contains the 252.204-7012 DFARS clause will still require your organization to provide documentation proving compliance with 800-171. We don't know if Contracting Officers will be asked to modify active contracts to swap CMMC and 800-171. This may end up being a per-contract decision. CMMC is different than NIST 800-171, but the controls can be mapped from 800-171 to the levels of certification within CMMC.

Yes. All companies doing business with Department of Defense will need to obtain CMMC.

Even if you are a subcontractor.

We’re not sure yet. This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. We can say this: ALL companies handling CUI can expect to need to certify at a CMMC Level 3 certification (which will include all 110 controls from NIST 800-171) at a minimum. Levels 1 and 2 will be required of companies that handle FCI (Federal Contract Information) while Levels 4 and 5 will be required among a small subset of contracts handling extremely sensitive information. The safe bet at this point is to shoot for a Level 3.

1. Get NIST 800-171 documentation out of the way. This will get you through many of the CMMC Level 3 requirements and keep you compliant with the current DFARS clause.

2. Identify the remaining CMMC requirements you expect to be subject to (future RFPs or your prime will determine what level you need to meet). Be ready to address any gaps you find and implement solutions to remediate them since CMMC requires 100% implementation. Identify and hire a reputable cyber company to help with pre-audit support.

3. Identify an authorized 3rd party to audit your assessment and give you a certification for the level you need. There are currently no companies that are accredited to give an official CMMC audit and certification, but the CMMC AB has indicated a small number will be available soon.

Current information suggests most CMMC levels will require recertification once every 3 years.

We can’t say for sure. That depends entirely on the market. Ms. Katie Arrington and her team have made it clear that they are trying to keep the cost down and are encouraging industry to automate as much of this process as possible. ComplyUp is taking that approach and applying it to our business model. Our software is cost-effective and practical. Our existing 800-171 platform can get you your NIST 800-171 documentation, and when the time comes, we'll migrate you to the new CMMC standard at no additional cost. We've also screened several auditing organizations and selected our partners based on the promise that they keep their costs low when working with our clients. The cost and associated assessment will likely scale with the level requested.

By Auditors

You will need to become an accredited 3rd party commercial certification organization. We are not sure what the exact steps are on how to get this done right now. We do know that you will need to go through some sort of a vetting process to become an accredited auditor. Once you’ve become accredited you will be able to start auditing companies and handing out certifications.

An organization called the CMMC Accreditation Body. This is a non-profit organization that has signed an MOU with the DoD and will be the entity vetting and selecting C3PAOs. This process has not yet begun.

No. They have made it quite clear that they do not want the organizations who are performing the audits to also be the ones implementing the CMMC requirements for the contractor.

Like NIST 800-171, it is a requirement of CMMC to provide a System Security Plan as well as policies and procedures on how you implement the practices found in CMMC. The auditor will most likely need to provide a Report on Compliance, like that of PCI and FedRAMP.

Yes. If you want to be a successful CMMC auditor, it is important to keep the same goals in mind as the folks pushing CMMC. They want this to be cost-effective. That means we’re not dealing with a whole lot of “enterprise” customers here. We’re talking about the ENTIRE DoD supply chain, most of which are small businesses. In order to play ball, you’ll need to keep your cost low and keep the process somewhat automated.