What is CMMC?
Get the basics of the Cybersecurity Maturity Model Certification & see how you can get started
What You Should Know About CMMC
To standardize and enhance cybersecurity measures with their contractors, the United States DoD rolled out the Cybersecurity Maturity Model Certification, which includes three levels of security requirements to protect government information they share with contractors.
CMMC will apply to DoD contractors handling federal contract information and controlled unclassified information as part of a phased rollout. The General Services Administration (GSA) has specified CMMC in several multi-billion dollar solicitations, requesting organizations’ intent to become certified.
Different Types of Information CMMC Protects
CMMC was developed to protect sensitive information provided by the government to complete a work contract through a third party contractor. Types of information fall into two categories:
- Federal Contract Information (FCI): Information provided by the government through a contract that is not intended for public release but necessary to complete the product or service.
- Controlled Unclassified Information (CUI): Information, including laws, that needs safeguarding or is not intended for public release, but does not include classified information.
Higher levels of CMMC requirements implement systems to protect against advanced persistent threats (APT). An ATP is an attack where an entity hacks into a computer network without being detected for a long period of time, giving the hackers prolonged, unauthorized access to the computer network.
Prescott: Experts in CMMC
Our team is composed of compliance specialists and business process analysts that will embed themselves into each company’s culture and corporate structure while being overseen by a board of notable industry experts in the information technology, information security, and cybersecurity sectors.
Give your business the Green Light
Compliance can make or break your business. Get guidance, processes, and support providing peace of mind.
Frequently Asked Questions
Level 1 covers 15 basic practices for protecting Federal Contract Information—self-assessed annually. Level 2 involves 110 controls aligned with NIST 800-171 and typically requires a third-party assessment. The right level depends on the type of information you handle in your contracts.
Yes. If you're part of the defense supply chain and handle FCI or CUI, certification requirements flow down to you. Prime contractors are already asking subs about their compliance status. Getting ahead of this protects your existing relationships and positions you for new opportunities.
Your timeline depends on several things: your current security maturity, how much documentation you already have in place, whether you use a managed enclave or build your own environment, and your team's capacity to implement changes. During our initial conversations, we help you understand what's realistic for your situation.
A C3PAO (Certified Third-Party Assessment Organization) conducts your official CMMC certification assessment. An RPO (Registered Provider Organization) like Prescott helps you get ready. The key difference: during an assessment, a C3PAO can only tell you "met" or "not met"—they can't tell you how to fix anything. An RPO can guide you through remediation and show you how to close your gaps.
We're a Registered Provider Organization with the CMMC Accreditation Body, but our team goes well beyond the minimum RPO requirements. We have Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) on staff, bringing assessor-level experience to your preparation—not just consulting credentials.
Yes. Our mock assessments are designed to mirror what you'll experience with a C3PAO. Because we have a certified assessor on staff, we can evaluate your readiness the same way an assessor would—but unlike a C3PAO, we can also tell you exactly how to fix what's not working.
Our mock assessments mirror the official C3PAO experience. We evaluate your environment, documentation, and practices against CMMC requirements, then tell you where you stand. The difference is we don't stop at "met" or "not met." We walk you through what needs to change and how to fix it.
Yes. Many clients come to us after working through requirements on their own or with an MSP. We often start with a consulting engagement to answer questions and identify gaps, then move into a mock assessment when you're closer to ready. It's never too late to bring in experienced guidance.
Quick Links
© 2021 Prescott | All rights reserved.