Cybersecurity Maturity Model Certification (CMMC)

We will help you demonstrate the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier. You can reach 100% compliance months before the Audit comes. Don't wait until the last minute to get started.


CMMC Assessment Service: DoD Audit Preparation

We help DoD Contractors throughout the United States prepare for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Audits by conducting an assessment and effectively implementing NIST security controls. We’ve helped hundreds of DoD contractors navigate the hurdles of DoD cybersecurity requirements and we would be happy to do the same for you.

About DCAP

The Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171

Reimbursement for NIST 800-171 Gap Analysis.

CMMC Requirements Timeline

Q4 2019

DoD releases CMMC Levels and associated NIST 800-171 controls. Non-profit selected to lead certification process.

January 2020:

CMMC Rev 1.0 Released. Auditors to begin certifying contract bodies. There will likely be a backlog as 70,000 companies require audits within a short time-frame.

June 2020:

CMMC Requirements to be included in Requests for Information (RFI)

Late 2020:

DoD contractors must be certified to bid on Requests for Proposals (RFPs)


Making CMMC levels mandatory in all new DoD RFPs.

The CMMC Model

What Are The CMMC Levels?

The CMMC consists of five levels of controls. Level 1 is designed for businesses that process little or no DoD data, but are on a DoD contract.
Level 5 is for major contract bodies with heavy involvement with DoD Supply Chain and data control. This is the highest level of scrutiny and controls applied.
Each CMMC level encapsulates the previous level and adds additional set of controls.


Frequently Asked Questions

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”

The DoD plans to release version 1.0 in January 2020. This leaves contractors just six months to prepare before CMMC starts appearing in Requests for Information (RFIs) in June 2020.

Many of the same controls that are in NIST 800-171 will be included in CMMC along with controls from other standards such as ISO, FedRAMP, and various NIST frameworks.
CMMC also requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.

No, the CMMC  requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.

Existing DoD contracts that contain the 252.204-7012 DFARS clause will still require your organization to provide documentation proving compliance with 800-171. We don’t know if Contracting Officers will be asked to modify active contracts to swap CMMC and 800-171. This may end up being a per-contract decision. CMMC is different than NIST 800-171, but the controls can be mapped from 800-171 to the levels of certification within CMMC.

Yes. All companies doing business with Department of Defense will need to obtain CMMC
Even if you are a subcontractor.

Step one is to get NIST 800-171 documentation out of the way. You can do a self-assessment of the 800-171 controls or hire a third-party service company to do a GAP analysis to determine your current level of compliance. This is where we come in, our auditors will do a “by the book” assessment against the current CMMC version and provide you with a roadmap to compliance toward the final 1.0 version. This is your opportunity to get 90% of the work done before the competition and ahead of the last-minute rush to get validated.

The second step is to map your 800-171 assessment to the CMMC requirements once they’re released. Be ready to address the gaps you find during mapping and implement solutions to remediate them. We will provide you with an SSP, POAM and remediation actions to complete.

The third step is to find an authorized 3rd party to audit your assessment and give you a certification for the level you need. You should have no trouble finding an auditor even before the requirements are released, since its very likely existing 800-171 service companies will transition to CMMC auditors.

We’re not sure yet. They are still considering that part. The CMMC Accreditation Body will make that determination. 

Our Assessment Service is cost-effective and practical. Our existing 800-171 platform can get you your NIST 800-171 documentation, and when the time comes, we’ll migrate you to the new Final CMMC standard at no additional cost. We’ve also screened several auditing organizations and selected our partners based on the promise that they keep their cost low when working with our clients. The cost and associated assessment will likely scale with the level requested.

The Auditors

The Office of the Undersecretary of Defense (Acquisition & Sustainment) (OUSD(A&S)) in the Department of Defense has issued an RFI (Request for Information), found here, to determine if a non-profit entity could successfully function as the Accreditation Body for CMMC.

There’s nothing definitive on what type of deliverables we’ll be looking at. However, one could probably surmise that the contractor will need to provide some sort of System Security Plan, similar to that of NIST 800-171, a POA&M and the auditor will most likely need to provide a Report on Compliance, similar to that of PCI and FedRAMP.


If you want a successful CMMC audit, NOW is the time to prepare. Let ACT Security help you along the way to compliance. We’re talking about you getting the edge on the competition and ready to go on day one of the requirement.


Get in Touch

(210) 722-2479