Cybersecurity will be mandatory across the Defense Industrial Base.

The CMMC framework was adopted by the Department of Defense (DoD) in January 2020 to enforce protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout its supply chain. The framework contains five levels to distinguish the maturity of an organization’s cybersecurity controls.

5 levels of CMMC Compliance


CMMC In Focus: Five Takeaways From DOD’s Interim Rule On CMMC
CMMC Accreditation Body Announces Plans for Assessor Certification
Department of Defense Contractors to Begin Preparing for New Cybersecurity Certification Requirement
What Will Be Required of Defense Contractors?

Any organization serving DoD as a prime or subcontractor will be required to achieve certification at the Maturity Level as defined in each contract.

In order to be considered for contract award, contractors and their subcontractors will need to obtain an independent assessment and receive certification that they meet the Maturity Level specified within Requests for Proposals (RFPs) prior to award of the contract. Each certification level is associated with a maturity level of cyber hygiene within an organization.

What is the Difference Between CMMC and Current NIST 800-171 Requirements?

NIST 800-171 is the current requirement defined in DFARS 252.204-7012 for securing Controlled Unclassified Information (CUI). It remains the standard for all contractors until an amended DFARS is published, expected in late 2020.

  • Third Party Assessment: While compliance with NIST 800-171 and the DFARS rule was a self-assessment and self-attestation process, CMMC requires a third-party assessment performed by an accredited organization called a C3PAO.
  • Maturity Model: NIST 800-171 is a static set of security requirements, applicable to all contractors, regardless of the nature of the contract or type of data maintained. CMMC introduces a tiered maturity model that scales security requirements based upon the nature of the contract.
  • Maturity Level 3 Aligns with NIST 800-171: The security requirements in NIST 800-171 align very closely with those of CMMC Maturity Level 3. Contractors who have been diligent about complying with NIST 800-171 are likely well positioned to pursue CMMC ML-3 certification.


Experience Assisting Contractors with Securing Data. To assist defense contractors, DHG IT Advisory and DHG Government Contracting maintain a forward-thinking cybersecurity team with significant experience with NIST 800-171 and CMMC frameworks. As CMMC requirements evolve and appear in DoD Requests for Information (RFIs) and RFPs, we are helping contractors anticipate potential compliance issues and prioritize resources to meet compliance objectives with the following assistance:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Network Security Assessments and Penetration Testing
  • System Security Plan (SSP) Documentation Development
  • Security Awareness Training Program Assessment
  • vCISO and Project Management
  • Security Program Design and Advisory

DHG values its role as an independent assessor and advisor to contractors. We do not resell third-party products or services and are not limited to using a single platform or product as part of our capabilities. Clients are at the center of our work and we only make recommendations based upon what is in our clients’ best interests.