GMI Logo



The new Cybersecurity Maturation Model Certification (CMMC) is more than a good idea, it’s a requirement for companies that want to do business with the US Department of Defense and their supply chain partners. Its goal is to ensure protection of sensitive information, particularly controlled unclassified information (CUI).

Following 2 years of insufficient cyber security compliance and multiple data leaks, CMMC is a direct effort to reduce cyber security risk stemming from 3rd party contractors. Relative to the previous DFARS standards (based on NIST 800-171), the new standards include some additional controls, replaces self-assessment with required certification by Certified 3rd Party Assessment Organizations (C3PAOs), and extends needed compliance beyond the contractor to their entire supply chain as well.


There are 5 levels of maturity expectations, primarily bases on contract needs and each participating organization’s potential impact to CUI security. Each maturity level builds upon the previous level, adding additional controls for greater security.

Level 1 is for organizations with the potential to indirectly influence the CUI environment. These may include companies such as landscapers, bookkeepers, HR recruiters, and training consultants. Level 1 calls for basic cyber hygiene. There are 17 basic controls.

Level 2 is for organizations with the potential to directly influence the CUI environment. Cyber security consultants, janitorial services, document shredders, and IT service providers might fall under this category. Level 2 adds 48 NIST 800-171 controls and 7 new CMMC “intermediate” hygiene controls to the Level 1 controls.

Levels 3 and up are for organizations who store, process, or transmit CUI. They are contractually obligated to protect CUI. They administer assets within a CUI environment. Level 3 adds the remainder of NIST 800-171 Rev. 1 controls, as well as 20 CMMC “good” hygiene controls.

Level 4 and 5 require contractors to apply advanced controls to protect against Advanced Persistent Threats (APTs). Level 4 adds 11 NIST 800-171 Rev. B controls and 15 CMMC “proactive” cybersecurity controls. Level 5 adds an additional 4 NIST 800-171 Rev. B controls and 11 CMMC “advanced” cybersecurity controls. In total, Level 5 requires 171 controls.


You may be one of the many organizations facing first-time compliance requirements related to Department of Defense contracts. Or, you may be familiar with DFARS compliance and have established CUI protections in place. Either way, getting help adopting this new standard and preparing for your assessment is recommended by the CMMC Accreditation Body.

GMI offers CMMC compliance services for organizations of various sizes and capabilities. Whether your need is for a point in time gap analysis, development of your compliance program, or ongoing management of your compliance efforts, GMI has SMEs ready to assess your computing environment and operations, prescribe a security architecture, and to help you implement the security practices required to fulfill CMMC requirements.

Because no two organizations are alike, GMI solutions will always consider your unique technical and human capabilities to develop an achievable and sustainable compliance strategy that is “right-sized” to your unique business needs and environment. 


CMMC can be complicated, but it doesn’t have to be. Contact us today to learn more about how we can help.

Speak with a Pro