Screen Shot 2020-09-16 at 1.52.24 PM

The Cybersecurity Maturity Model Certification (CMMC) is a brand-new cybersecurity compliance stipulation for existing Department of Defense (DoD) contractors. CMMC replaces the current self-assessment model and now requires third-party certification.

CMMC is built upon existing requirements like:

  • NIST SP 800-171
  • NIST SP 800-53
  • AIA NAS9933
  • DFARS 252.204-7012

It’s the next phase of the DoD’s efforts to completely secure all aspects of the Defense Industrial Base (DIB). There will be five (5) CMMC levels designed to assess and measure the cybersecurity practices of contractors, and vendors can prepare now by undergoing a thorough CMMC audit:

  • Level 1: Basic Cyber Hygiene for Practices and Performed for Processes
  • Level 2: Intermediate Hygiene for Practices and Documented for Processes
  • Level 3: Good Cyber Hygiene for Practices and Managed for Processes
  • Level 4: Proactive for Practices and Reviewed for Processes
  • Level 5: Advanced/Progressive for Practices and Optimizing for Processes

Contractors are not only judged based on the implementation of technical controls, but the institutionalization of their documentation and policies is also measured. Everyone in the DoD supply chain must be certified.

RSI Security is a CMMC-AB Registered Provider Organization and has a team of CMMC-AB Registered Practitioners.


Schedule a Consultation

What are C3PAO (Certified Third-Party Assessment Organizations)?

C3PAO (Certified Third-Party Assessment Organizations) will be the sanctioned assessors that will be licensed and certified to help you achieve compliance with all CMMC (Cybersecurity Maturity Model Certification) regulations.

RSI Security is undergoing the process to become a C3PAO (Certified Third-Party Assessment Organization).


CMMC Certification Requirements

Any company, business, or organization that does business with the DoD will be required to meet CMMC requirements. CMMC levels are put forth by the DoD, and a C3PAO (Certified Third-Party Assessment Organization) will help you determine what level is necessary depending on whether your company simply handles Federal Contract Information (FCI) or also handles Controlled Unclassified Information (CUI).

CMMC DoD requirements take into account the maturity of your company’s institutional cybersecurity processes and practices. Working with a C3PAO as soon as possible will help you adjust your cybersecurity infrastructure to this new, third-party compliance standard and ensure your continued success as a DoD contractor.


Cybersecurity Maturity Model Certification (CMMC) Levels

CMMC Level 1:

Basic Cyber Hygiene/Performed

Anyone doing business with the DoD must achieve at least a Level 1 compliance. This level requires basic cybersecurity hygiene practices appropriate for smaller companies that only handle FCI. -No Processes are required. Level 1 controls are equivalent to all of the safeguarding requirements of FAR Clause 52.204-21.

CMMC Level 2:

Intermediate Cyber Hygiene/Documented

Involves universally accepted cybersecurity best practices that would be well-documented, with access to CUI requiring multi-factor authentication. Level 2 is not designed to be a destination. It is a transitional level for companies that are moving toward a Level 3 certification.

CMMC Level 3:

Good Cyber Hygiene/Managed

All of the NIST SP 800-171 Practices are required at this level plus 20 additional requirements from other compliance frameworks. The goal of this level is to protect CUI. Processes at this level are well-followed and maintained, with a comprehensive knowledge of all cyber assets.

CMMC Level 4:


Level 4 requires the implementation of 26 additional advanced and sophisticated cybersecurity practices based largely on the CMMC adaptation of NIST SP 800-171B. Controls at this level are focused on thwarting Advanced Persistent Threats (APT) Level 4 processes are regularly reviewed, properly resourced, and improved company-wide.

CMMC Level 5:


Level 5 requires 44 additional security practices, most of which are CMMC adaptations of NIST SP 800-171B. The focus is to thwart APTs. Highly advanced cybersecurity practices must be in place, and processes implemented at this level must be continually reviewed and improved across your enterprise with machine-speed breach response.


How can RSI Security help your organization prepare for certification?

Cybersecurity Maturity Model Certification (CMMC) doesn’t have to be a headache. As a top compliance certification company, RSI Security can help you prepare to meet the CMMC certification requirements as soon as possible.

As a seasoned QSA (Qualified Security Assessor), ASV (Approved Scanning Vendor), authorized HITRUST CSF Assessor, and veteran in helping companies achieve compliance in various frameworks and industries including NIST 800-171 and DFARS. We are prepared to help you get all of your internal processes and practices up to par in preparation for CMMC.

Ready to get started? Contact a compliance expert at RSI Security now to start preparing for your own upcoming CMMC assessment.




Organizations that trust RSI Security


Get started on your CMMC compliance journey. Speak with one of our compliance experts today!

Schedule a Consultation