CMMC

Cybersecurity Maturity Model Certification (CMMC) – COMING SOON!

CMMC was initiated by the U.S. Department of Defense (DoD) to protect the DoD Controlled Unclassified Information (CUI) that exists throughout the Defense Industrial Base (DIB) from our adversaries who would like to steal or sabotage the data.

DoD suppliers that to remain a supply they must implement and becoming certified to the relevant maturity level of the CMMC Standard 1.0 as specified by DoD in their contracts.

There are 5 possible levels certification and the required level per vendor will be written in contracts by DoD.  These levels are determined based on data risk and the security controls are assigned based on this risk. Below are the level controls and the general applicability for reference: 

  • CMMC Level 1: 17 Controls. Could be applicable to a basic office supply vendor.
  • CMMC Level 2: 72 Controls (includes Level 1 controls)
  • CMMC Level 3: 130 Controls (includes Level 2 controls) Applies to vendors with DoD prints and specifications – often flow down requirements to operations like a machine shop or other component manufacturers.
  • CMMC Level 4: 156 Controls (includes Level 3 controls) Applies to vendors who would be producing a final product that would go into or with a level 5 vendor
  • CMMC Level 5: 171 Controls (includes Level 4 controls) This is applicable to a primary defense contractor such as Boeing, Lockheed Martin or Raytheon.  This level will be only audited and certified by DoD – not 3CPAOs.

Status:

  • CMMC is still in the “rule making process” for this program
  • CMMC is conducting pilot audits for a few select organizations approved by DoD
  • CMMC is training and approving auditors
  • CMMC is taking applications from 3CPAOs
  • CMMC is finalizing requirements for trainers and training organizations
  • CMMC must meet ISO 17011 which are international requirements for acting as an Accreditation Body and will be working on this implementation over the next 2 years.
  • Open market demand for certification for DoD suppliers is expected to begin 2026

Fore more information, please visit the CMMC website.

Performance Review Institute Registrar is actively seeking CMMC accreditation as a 3CPAO.