What is CMMC?
Get the basics of the Cybersecurity Maturity Model Certification & see how you can get started
What You Should Know About CMMC
To standardize and enhance cybersecurity measures with their contractors, the United States DoD rolled out the Cybersecurity Maturity Model Certification, which includes three levels of security requirements to protect government information they share with contractors.
CMMC will apply to DoD contractors handling federal contract information and controlled unclassified information as part of a phased rollout. The General Services Administration (GSA) has specified CMMC in several multi-billion dollar solicitations, requesting organizations’ intent to become certified.
Different Types of Information CMMC Protects
CMMC was developed to protect sensitive information provided by the government to complete a work contract through a third party contractor. Types of information fall into two categories:
- Federal Contract Information (FCI): Information provided by the government through a contract that is not intended for public release but necessary to complete the product or service.
- Controlled Unclassified Information (CUI): Information, including laws, that needs safeguarding or is not intended for public release, but does not include classified information.
Higher levels of CMMC requirements implement systems to protect against advanced persistent threats (APT). An ATP is an attack where an entity hacks into a computer network without being detected for a long period of time, giving the hackers prolonged, unauthorized access to the computer network.
Prescott: Experts in CMMC
Our team is composed of compliance specialists and business process analysts that will embed themselves into each company’s culture and corporate structure while being overseen by a board of notable industry experts in the information technology, information security, and cybersecurity sectors.
Give your business the Green Light
Compliance can make or break your business. Get guidance, processes, and support providing peace of mind.
Frequently Asked Questions
Level 1 covers 15 basic practices for protecting Federal Contract Information:
- Self-assessed annually
- Foundational cybersecurity hygiene
- No third-party assessment required
Level 2 involves 110 controls aligned with NIST 800-171:
- Protects Controlled Unclassified Information (CUI)
- Typically requires third-party assessment
- More comprehensive security requirements
The right level depends on the type of information you handle in your contracts. If you're working with CUI, you'll need Level 2.
Yes. If you're part of the defense supply chain and handle FCI or CUI, certification requirements flow down to you.
What's happening now:
- Prime contractors are already asking subs about their compliance status
- Getting ahead of this protects your existing relationships
- Positions you for new opportunities
Even if you're several tiers down, you'll eventually need certification to maintain DoD work.
Your timeline depends on several things:
Current state:
- Your current security maturity level
- How much documentation you already have in place
Implementation approach:
- Whether you use a managed enclave or build your own environment
- Your team's capacity to implement changes
Typical timelines:
- Organizations with some security measures: 6-12 months
- Starting from scratch: 12-18+ months
During our initial conversations, we help you understand what's realistic for your situation.
C3PAO (Certified Third-Party Assessment Organization):
- Conducts your official CMMC certification assessment
- Can only tell you "met" or "not met" during assessment
- Cannot tell you how to fix anything
RPO (Registered Provider Organization) like Prescott:
- Helps you get ready for certification
- Can guide you through remediation
- Shows you how to close your gaps
The key difference: During an assessment, a C3PAO can't help you fix problems. An RPO can guide you before the assessment, so you're actually ready.
We're a Registered Provider Organization with the CMMC Accreditation Body, but our team goes well beyond the minimum RPO requirements.
Our credentials:
- Certified CMMC Professionals (CCPs)
- Certified CMMC Assessors (CCAs) on staff
- Assessor-level experience applied to your preparation
- Not just consulting credentials
We can evaluate your readiness the same way an assessor would, but we can also tell you exactly how to fix what's not working.
Yes. Our mock assessments are designed to mirror what you'll experience with a C3PAO.
Why this matters:
- We have a certified assessor on staff
- We evaluate your readiness the same way an assessor would
- Unlike a C3PAO, we don't stop at "met" or "not met"
We walk you through what needs to change and how to fix it. This way, when you go through the real assessment, you know you're ready.
Our mock assessments mirror the official C3PAO experience:
We evaluate:
- Your environment and infrastructure
- Documentation and policies
- Practices against CMMC requirements
You receive:
- Clear assessment of where you stand
- Identification of gaps and weaknesses
- Specific guidance on what needs to change
- Step-by-step remediation recommendations
We don't stop at "met" or "not met." We show you exactly how to fix what's not working.
Yes. Many clients come to us after working through requirements on their own or with an MSP.
Our approach:
- Often start with a consulting engagement to answer questions and identify gaps
- Move into a mock assessment when you're closer to ready
- Fill in the missing pieces without starting from scratch
It's never too late to bring in experienced guidance. We meet you where you are.
Quick Links
© 2021 Prescott | All rights reserved.