Contact us

What is CMMC?

Whether you’re a prime contractor, a small business, or part of the broader defence industrial base, protecting sensitive information and maintaining the integrity of your information systems is critical when doing business with the United States Department of War (U.S. DoW).

At the heart of U.S. DoW’s cybersecurity requirements is the Cybersecurity Maturity Model Certification (CMMC), which provides a unified standard for assessing and verifying contractors’ cybersecurity readiness, ensuring that all partners meet the necessary protections for handling controlled and sensitive defence information.

About CMMC

The CMMC combines many different cybersecurity standards — including those from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Aerospace Industries Association and others — into a single, unified standard for cybersecurity.

CMMC originally established a multi-level model to assess and verify contractors’ cybersecurity practices. CMMC 2.0 streamlines the framework into three levels, reducing complexity while maintaining strong protection for sensitive U.S. DoW information.

CMMC 2.0 assessments

To comply, organizations must undergo assessments to evaluate their cybersecurity practices and achieve a maturity level appropriate to their role in U.S. DoW contracts and the sensitivity of the information they handle.

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. This means:

Level 1 – Annual self-assessment

For contractors doing business with the U.S. DoW at CMMC 2.0 Level 1, compliance with the 15 cybersecurity requirements outlined in FAR clause 52.204-21 is mandatory.

These requirements are assessed annually by the contractor, and the results are recorded in the Supplier Performance Risk System (SPRS).

Level 2 – Self-assessment

To achieve CMMC 2.0 Level 2 Self status, contractors must comply with the 110 cybersecurity requirements outlined in NIST SP 800-171 Revision 2, as mandated by DFARS clause 252.204-7012.

Contractors conduct these assessments at least once every three years, and the results are recorded in the Supplier Performance Risk System (SPRS). The resulting CMMC Status is valid for three years from the official CMMC Status Date, as defined in § 170.4.

Following each formal assessment, and annually thereafter, organizations must provide seniorlevel affirmation confirming ongoing compliance. Failure to submit this annual affirmation will cause the assessment status to lapse, requiring the contractor to update their SPRS record to maintain compliance.

Level 2. Advanced – C3PAO

To achieve CMMC 2.0 Level 2 certification through a C3PAO, contractors must comply with the 110 cybersecurity requirements outlined in NIST SP 800-171 Revision 2, as mandated by DFARS clause 252.204-7012.

Assessments are conducted by a Certified Third-Party Assessment Organization (C3PAO) at least once every three years, and the results are recorded in the CMMC Enterprise Mission Assurance Support Service (eMASS).

The resulting CMMC Status is valid for three years from the official CMMC Status Date, as defined in § 170.4. Following each assessment, and annually thereafter, organizations must provide a senior-level affirmation confirming ongoing compliance. Failure to submit this affirmation will cause the assessment status to lapse, and the contractor must update their record in SPRS to maintain compliance.

The CMMC Accreditation Body (The Cyber AB) will accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.

Level 3. Expert – Government-led assessments

To achieve CMMC 2.0 Level 3 certification, contractors must comply with the 110 cybersecurity requirements from NIST SP 800-171 Revision 2, as well as 24 additional practices selected from NIST SP 800-172 (February 2021), as detailed in Table 1 of § 170.14(c)(4). A prerequisite Level 2 C3PAO certification for the same CMMC Assessment Scope is required before undergoing a Level 3 assessment.

Level 3 assessments are conducted by the U.S. DoW Information System Security Certification and Accreditation Center (DIBCAC) at least once every three years, and the results are recorded in the CMMC Enterprise Mission Assurance Support Service (eMASS).

The resulting CMMC Status is valid for three years from the official CMMC Status Date, as defined in § 170.4. Following each assessment, and annually thereafter, organizations must provide a senior-level affirmation confirming ongoing compliance. Failure to submit this affirmation will cause the assessment status to lapse, and the contractor must update their record in SPRS to remain in compliance.

In addition, the annual Level 2 C3PAO affirmation must continue to be completed to maintain prerequisite compliance for Level 3 certification.

How to get my business ready for the U.S. DoW market?

How do I setup my business plan & resources for the U.S. DoW market?

How do I select and build relationships with my target U.S. DoW customers?
How do I select a U.S. DoW market entry approach?
How do I budget for U.S. DoW business development?
How do I conduct competitor analysis for U.S. DoW providers?
How do I build effective pitch materials for U.S. DoW contracts?
How do I prepare my team for government proposal writing?

How do I get compliant to do business with U.S. DoW?

What are DFARS and what they mean for Canadians selling to U.S. DoW?
How do I meet U.S. DoW’s cyber security requirements?
What is CMMC?
How do I get an industrial security clearance for my company?
How do I get security clearances for my employees?
How do I get a clearance to access unclassified military technical data for U.S. DoW work?
How do I get a security clearance to examine, possess, or transfer controlled goods?
How do I get ITAR compliant?
How do I set up for FAR and DFARS compliance?
CCC uses cookies and other tracking tools to offer you a better experience when you visit our site. Visit our Cookie Policy page to learn more or to change your preferences. By continuing to use our site, you consent to cookie use.
Accept