Cybersecurity will be mandatory across the Defense Industrial Base.

The CMMC framework was adopted by the Department of Defense (DoD) in January 2020 to enforce protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout its supply chain. The framework contains five levels to distinguish the maturity of an organization’s cybersecurity controls.

5 levels of CMMC Compliance


Firm News
DHG Achieves CMMC Registered Provider Organization (RPO) Accreditation
Department of Defense Contractors to Begin Preparing for New Cybersecurity Certification Requirement
What Will Be Required of Defense Contractors?

Any organization serving DoD as a prime or subcontractor will be required to achieve certification at the Maturity Level as defined in each contract.

In order to be considered for contract award, contractors and their subcontractors will need to obtain an independent assessment and receive certification that they meet the Maturity Level specified within Requests for Proposals (RFPs) prior to award of the contract. Each certification level is associated with a maturity level of cyber hygiene within an organization.

What is the Difference Between CMMC and Current NIST 800-171 Requirements?

NIST 800-171 is the current requirement defined in DFARS 252.204-7012 for securing Controlled Unclassified Information (CUI). It remains the standard for all contractors until an amended DFARS is published, expected in late 2020.

  • Third Party Assessment: While compliance with NIST 800-171 and the DFARS rule was a self-assessment and self-attestation process, CMMC requires a third-party assessment performed by an accredited organization called a C3PAO.
  • Maturity Model: NIST 800-171 is a static set of security requirements, applicable to all contractors, regardless of the nature of the contract or type of data maintained. CMMC introduces a tiered maturity model that scales security requirements based upon the nature of the contract.
  • Maturity Level 3 Aligns with NIST 800-171: The security requirements in NIST 800-171 align very closely with those of CMMC Maturity Level 3. Contractors who have been diligent about complying with NIST 800-171 are likely well positioned to pursue CMMC ML-3 certification.


To assist defense contractors, DHG Technology Compliance and DHG Government Contracting maintain a forward-thinking cybersecurity team with significant experience with NIST 800-171 and CMMC frameworks. Key members of the firm’s CMMC service team achieved Registered Practitioner status with the CMMC Accreditation Body and DHG is now a Registered Provider Organization (RPO) in the CMMC Marketplace. This accreditation expands the firm’s offerings to consult with clients seeking the new certification and assist navigating CMMC. As CMMC requirements evolve and appear in DoD Requests for Information (RFIs) and RFPs, we are helping contractors anticipate potential compliance issues and prioritize resources to meet compliance objectives with the following assistance:

Cybersecurity Maturity Model Certification registered logo
  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Network Security Assessments and Penetration Testing
  • System Security Plan (SSP) Documentation Development
  • Security Awareness Training Program Assessment
  • vCISO and Project Management
  • NIST 800-171 Assessments and Scoring

DHG values its role as an independent assessor and advisor to contractors. We do not resell third-party products or services and are not limited to using a single platform or product as part of our capabilities. Clients are at the center of our work and we only make recommendations based upon what is in our clients’ best interests.