CMMC Explained

Cybersecurity Maturity Model Certification (CMMC) is a U.S. Government-mandated certification program designed to improve supply chain security in the defense industry. 

The Department of Defense will require all contractors to be certified to one of three CMMC levels by the end of 2025.

CMMC is a rigorous process and is intended to take you to a higher level of cybersecurity preparedness. CMMC establishes a measurable set of standards and practices for safeguarding both Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and is designed to protect both data and systems from cyber-attack. In order to preserve U.S. national security, the federal government is requiring organizations working with the DoD to become certified once CMMC final rule goes into force.

Three levels of CMMC certification.

Which CMMC certification level will you need? That depends on the type of work you do, the specifics of your DoD contract, and the kind of information you handle in the course of fulfilling the contract. Your level is determined by your DoD contracting officer and is clearly specified in your contract.

The CMMC certification levels are:

  • Level 1 – Foundational Cyber Hygiene Practice. This is a basic level of cybersecurity achieved by security-conscious organizations both within and outside of the defense industry. Level 1 certification requires compliance with 17 specific practices (security controls).

  • Level 2 – Advanced Cyber Hygiene Practice. This level incorporates the DoD cybersecurity requirements of NIST Special Publication 800-171 Rev2. Level 2 requires compliance with 110 total practices (including those of Level 1).

  • Level 3 – Expert Practice. Level 3 certification requires compliance with the standards of Level 2 (including NIST 800-171) and certain provisions of NIST Special Publication 800-172.

The Department of Defense has published CMMC 2.0 Assessment Guide, Level 1 and CMMC 2.0 Assessment Guide, Level 2 to further explain CMMC compliance requirements. An assessment guide for Level 3 has yet to be published.

Fully understanding the requirements of each level can be overwhelming for many organizations. We’re here to answer your questions. Call us today.

Upcoming Events
Data Breach: Anatomy of One Company’s Response
If the trend continues, 2023 will become another year of over 1,000 publicly reported data breaches. According to the IT Governance Blog (, this translates to over five billion compromised data records. The breaches number will undoubtedly continue in number and severity – reaffirming that cybersecurity is a pressing priority for business. Learn More >

Monarch is the Northeast’s only Certified Third Party Assessment Organization (C3PAO)