CMMC
Simpatico helps defense contractors meet CMMC requirements through tailored strategies, expert guidance, and secure technology solutions.
The Simpatico Way
Simpatico helps defense contractors and suppliers navigate evolving DoD CMMC requirements by delivering tailored compliance strategies, secure infrastructure, and expert support—so you can achieve certification, protect sensitive data, and stay eligible for government contracts.
LATEST CMMC GUIDELINES & CERTIFICATION INFORMATION
New CMMC 2.0
The changes to the CMMC Certification and what you need to know! Learn more about CMMC 2.0 today!
DFARS Interim Rule
Find answers to the existing DFARS requirements, the interim rule, and how it relates to CMMC
CMMC FAQ
Find answers to your CMMC questions and learn more about the Cybersecurity Maturity Model Certification.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to strengthen the cybersecurity posture of the Defense Industrial Base (DIB). As cyber threats grow more frequent and complex, CMMC ensures that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet strict security requirements. The program provides a tiered certification model to verify that businesses have the appropriate safeguards in place to protect sensitive government data.
The CMMC framework includes three maturity levels, ranging from Basic Cyber Hygiene (Level 1) to Advanced Threat Protection (Level 3). Each level is aligned with the type and sensitivity of information a contractor handles—specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC is integrated into DoD contract requirements, with the required level specified in Sections L and M of Requests for Proposals (RFPs). This serves as a “go / no-go” decision point—meaning businesses must meet the appropriate level of certification to be eligible for contract awards.
The CMMC model integrates multiple established cybersecurity standards—including NIST SP 800-171 (Rev. 2), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others—into a single, unified framework. This approach ensures a consistent baseline of security across the Defense Industrial Base (DIB).
Beyond technical controls, CMMC also evaluates the maturity and institutionalization of an organization’s cybersecurity practices, ensuring that processes are not only implemented but effectively managed and maintained over time.
CMMC Program History
-
- 2010: Executive Order 13556 established the CUI Program to standardize how sensitive government information is handled.
- 2015–2016: The DoD implemented and revised DFARS clauses to require contractor compliance with NIST SP 800-171 by December 2017.
- 2019: The DoD Inspector General reported widespread non-compliance within the Defense Industrial Base (DIB).
- 2020: The National Defense Authorization Act (NDAA) directed the DoD to develop a formal cybersecurity assessment framework—laying the groundwork for CMMC.
- 2025: The DoD will begin full implementation of CMMC requirements in contracts to ensure cybersecurity compliance is verified and enforced.
CMMC Levels
What level of CMMC is right for me and my business?
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we know about the CMMC levels and their respective requirements:
What level of the CMMC will I need to get certified?
The level of CMMC certification you’ll need depends entirely on your contract requirements and the type of information your organization handles—primarily Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
The updated CMMC 2.0 framework simplifies the model to three levels and is designed to reduce barriers for small to mid-sized businesses while still protecting national security. Its goal is to ensure that any sensitive information your organization handles remains protected.
Most companies will fall under Level 1 or Level 2:
-
-
Level 1 (Foundational) requires an annual self-assessment and includes 17 basic practices based on FAR 52.204-21.
-
Level 2 (Advanced) is for organizations handling CUI and aligns with 110 practices from NIST SP 800-171 Rev. 2. Some will self-assess annually, while others must complete a triennial assessment by a C3PAO
- Level 3 (Expert) applies to the highest-risk contracts and includes additional practices from NIST SP 800-172, with assessments conducted by DIBCAC every three years.
-
Most small and medium-sized contractors will only need Level 1 or Level 2, while Level 3 will be limited to large prime contractors working on the most sensitive DoD programs.
When does CMMC go into effect?
The CMMC 2.0 Program rule was finalized on October 15, 2024, and officially went into effect on December 16, 2024. However, CMMC requirements will not begin appearing in Department of Defense (DoD) contracts until the related DFARS rule is finalized, which is expected by mid-2025.
Once the DFARS rule is complete, the DoD will begin a phased rollout of CMMC requirements over the following years. That means contractors should start preparing now—by conducting a gap assessment, implementing required controls, and aligning with their necessary CMMC level—to ensure they remain eligible for future contracts.
How do I achieve CMMC compliance?
Defense contractors are not compliant with CMMC until they coordinate with an accredited and independent third-party certification organization to perform a CMMC audit. It is in contractors best interest to partner with an agency like Simpatico Systems to help them prepare for a CMMC audit.
What should I do to prepare for an audit?
- For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
- For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.
Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.
If you would like to speak with someone about preparing for a CMMC audit, give us a call at (806) 224-0300 to schedule a free consultation.
What should I do right now?
Whether you plan to manage compliance internally or work with a partner, the first step is understanding how close—or how far—you are from meeting the requirements of CMMC 2.0. The most effective way to begin is with a third-party gap assessment to identify weaknesses in your current systems, policies, and controls.
Without this gap analysis, it’s difficult to determine what updates or changes are necessary to meet your required CMMC Level. At Simpatico Systems, our experts use these findings to develop remediation plans that fix vulnerabilities and align your environment with current DoD cybersecurity expectations.
This assessment may support your in-house team’s remediation efforts or allow a trusted partner like Simpatico to manage the entire process for you.
As a CMMC-AB Registered Provider Organization (RPO), Simpatico Systems understands the urgency and complexity of compliance. We guide contractors through NIST SP 800-171 and CMMC requirements, ensuring your cybersecurity controls are properly implemented to protect Controlled Unclassified Information (CUI) and support a successful audit and certification.