Cyberattacks pose a real threat to our national security and Defense Industrial Base (DIB). The Department of Defense (DoD) has formulated a framework to combat these threats, called Cybersecurity Maturity Model Certification (CMMC). This framework is a cohesive mix of multiple cybersecurity requirements, aiming to replace NIST SP 800-171. Mature cybersecurity processes and practices will serve as the foundation for CMMC and DoD contracting. Contractors and subcontractors will need to possess the proper CMMC certification in late 2020 to bid on Request for Proposals.

The Definitive Guide to CMMC Compliance

Worried about CMMC? We've compiled everything you need to know!

Read the full guide

CMMC Levels

Level 1: Basic Cyber Hygiene - Safeguarding Federal Contract Information (FCI)

  • 17 Security Controls

Level 2: Intermediate Cyber Hygiene - Transitional step progression to protect Controlled Unclassified Information (CUI)

  • 46 Additional Security Controls

Level 3: Good Cyber Hygiene - Protection of CUI

  • 47 Additional Security Controls in addition to the completion of the first two levels
  • Equivalent to the 110 controls in NIST SP 800-171

Level 4: Proactive - Protection of CUI and risk of Advanced Persistent Threats (APTs)

  • 26 More Controls in Addition to NIST 800-171

Level 5: Advanced - Protection of CUI and risk of Advanced – Protection of CUI and risk of APTs

  • 30 More Controls in Addition to NIST 800-171

Who Needs to Be Compliant?


Small, medium and large businesses contracting with the DoD, are required to comply with NIST SP 800-171. It can become a herculean task for small businesses to keep up with costs and efforts needed to comply with NIST. On the other hand, CMMC will be cost-effective for small businesses to achieve the minimum Level 1 requirement, whereas larger businesses must achieve the Level 3 requirement.

CMMC is a third-party certification system which means contractors no longer can self-certify their compliance. This new framework will reduce the confusion when determining compliance, and aid in reducing the risk of False Claims Act (FCA) liability.

Charles IT Can Help by Utilizing Our Two Step Process!


Step 1: Gap Assessment

Before your business is audited and receives its maturity level certification, there is a step you should take to ensure you meet the level that is required. This important step is called a Gap Assessment, this assessment will determine the “gaps” or holes in your business’s security posture and show you what you need to do to fill those gaps.

Charles IT wants to help make sure you’re compliant so that you can to take on the contracts that are critical to your business. Whichever level you are looking to achieve, a Gap Assessment should be performed so there are no surprises come audit time. Let us assess all the gaps in your cybersecurity posture and devise a plan to remediate them so you can be on your way to a CMMC certification.

Step 2: CMMC Services


Our Security Services Include:

Need help understanding CMMC? Find out everything that you need to know by reading our FREE eBook.Read it now