Cybersecurity Maturity Model Certification

CMMC Certification Preparation for DoD Contractors

How Department of Defense Contractors Can Best Prepare for Their CMMC Audit

What is CMMC?

The Department of Defense is taking steps to further prevent the loss of Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB) as it is critical to maintaining national security. Those steps birthed the CMMC requirement, which builds upon their existing regulations (DFARS 252.204-7012) and combines various cybersecurity control standards (e.g., National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, International Organization for Standardization (ISO) 27001, and Aerospace Industries Association National Aerospace Standards 9933, etc.) into a single, unified standard for cybersecurity. The CMMC program will require DoD suppliers to achieve and maintain certification through a verification process that assesses the institutionalization and maturity of cybersecurity practices and processes.


The CMMC model is based on 5 Levels of Practices and Processes as shown in Figure 1. Practices range from a Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive). Processes range from being Performed at Level 1 up to being Optimized across the organization at Level 5. In order to meet a specific CMMC level, an organization must meet the practices and processes within that level as well as those below it.

Once implemented, offerors will be required to hold a CMMC certificate at a specified level or higher to be eligible for award on DoD solicitations. To obtain a CMMC certification, companies will coordinate directly with an independent, accredited Certified Third-Party Assessment Organization (C3PAO) to request and schedule a CMMC assessment. Upon successful demonstration of the appropriate capabilities and organizational maturity, the organization will receive the corresponding CMMC level certification.

What Steps Should I Take to Become Compliant?

S3 understands that Cybersecurity is a complex and difficult subject.  Our knowledgeable and experienced professional services staff can help expedite your CMMC in a clear and concise manner. We help you navigate the CMMC standard, cybersecurity regulations, and best practices no matter the size or complexity of your business. S3 has also partnered with a major university responsible for educating suppliers on the CMMC standard and requirements within the State of Ohio. S3 will provide Cybersecurity subject matter expertise in support of content development and delivery, seminars, working groups, and roundtable discussions. Our approach begins here:

1. A Gap Analysis

One of the first steps in identifying what risks your company is most susceptible to is by conducting a  gap analysis. A gap analysis will expose any deficiencies against the current DFARS Cybersecurity requirements and the upcoming, growing CMMC regulations.

2. Certification

The greatest change in today’s new DoD requirements is long gone are the days of self-attestation. Instead, CMMC certification will be done by an independent C3PAO. The capabilities DoD suppliers will be required to implement for each maturity level are briefly defined in Figure 2 below. Hiring a third party in advance to conduct a thorough evaluation and gap analysis of your current cybersecurity controls ensures your company’s information security program is ready for assessment by the C3PAO.



3. Timing

The DoD expects to include CMMC certification levels in RFI and RFPs starting Q3 of 2020. If you are a current DoD supplier, or plan to be, now is the time to strengthen your existing cybersecurity processes, policies, and systems.

Pass Your Upcoming CMMC Audit with Confidence

We are helping DoD suppliers throughout the U.S. navigate the complexities of CMMC with ease and pride.

To gain a competitive advantage in these evolving times, consider being proactive in taking the first step in preparation for the CMMC audit. With us, you can achieve the highest CMMC level in line with your business size and objectives.


This email address is being protected from spambots. You need JavaScript enabled to view it.