Cybersecurity Maturity Model Certification (CMMC) – COMING SOON!

CMMC 1.0 was initiated by the U.S. Department of Defense (DoD) in September 2020 to protect the DoD Controlled Unclassified Information (CUI) that exists throughout the Defense Industrial Base (DIB) from our adversaries who would like to steal or sabotage the data.

In March 2021, the DoD initiated an internal review of the CMMC program implementation leading to a refinement of the policy and program by cybersecurity leaders. As a result, The CMMC Standard was revised to 2.0 in November 2021. There are now 3 possible levels certification and the required level per vendor will be written in contracts by DoD.  These levels are determined based on data risk and the security controls are assigned based on this risk. Below are the level controls and the general applicability for reference: 

  • CMMC Level 1 (ML1) Foundation: 17 practices. Could be applicable to a low-risk office supply vendor.  There is an option for self -determination by supplier. CMMC recommends suppliers still considering seeking  certification by an accredited C3PAO.

  • CMMC Level 2 (ML2) Advanced: 110 controls, including NIST SP 800-171. Applies to vendors with DoD prints and specifications – often flown down requirements to operations like a machine shop or other component and product manufacturers.  Suppliers required to achieve triennial certification by an accredited C3PAO.

  • CMMC Level 3 ML3) Expert: 110 controls. This is applicable to a high-risk primary defense contractor such as Boeing, Lockheed Martin or Raytheon.  This level will be certified by US Government – DoD only.

DoD suppliers must implement the relevant maturity level of the CMMC Standard as specified by DoD in their contracts.


  • CMMC 2.0 Rules are expected to be released mid 2023 pending DoD approval timeline

  • CMMC is conducting pilot audits for a few select organizations approved by DoD

  • CAICO (CMMC subsidiary) is facilitating training and approving assessors and instructors

  • CMMC is taking applications from C3PAOs (like PRI Registrar)

  • CMMC is currently approving Registered Provider Organization (RPO), and Registered Practitioners (RP) to support suppliers with implementation

  • CMMC must meet ISO 17011 which are international requirements for acting as an Accreditation Body and is actively working on implementation these requirements. Their plan is to complete by late 2022 or early 2023

  • Open market demand for certification for DoD suppliers is expected to begin 2023 -2024 pending DoD final approval

For more information, please visit the CMMC website.

Performance Review Institute Registrar will be seeking CMMC accreditation as a C3PAO in 2023.