CMMC
Simpatico helps defense contractors meet CMMC requirements through tailored strategies, expert guidance, and secure technology solutions.
The Simpatico Way
Simpatico helps defense contractors and suppliers navigate evolving DoD CMMC requirements with tailored compliance strategies, secure infrastructure, and expert support—so you can achieve certification, protect sensitive data, and stay eligible for government contracts.
Ready to get compliant?
Contact us today to speak with a compliance expert and learn how Simpatico can simplify your CMMC journey.
Download our eBook: The Defense Contractor’s Guide to CMMC Compliance. Understand certification levels, prep for assessments, avoid legal risks, and see how Simpatico Systems supports your path to compliance.
LATEST CMMC GUIDELINES & CERTIFICATION INFORMATION
New CMMC 2.0
The changes to the CMMC Certification and what you need to know! Learn more about CMMC 2.0 today!
DFARS Interim Rule
Find answers to the existing DFARS requirements, the interim rule, and how it relates to CMMC
CMMC FAQ
Find answers to your CMMC questions and learn more about the Cybersecurity Maturity Model Certification.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to strengthen the cybersecurity posture of the Defense Industrial Base (DIB). As cyber threats grow more frequent and complex, CMMC ensures that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet strict security requirements. The program provides a tiered certification model to verify that businesses have the appropriate safeguards in place to protect sensitive government data.
The CMMC framework includes three maturity levels, ranging from Basic Cyber Hygiene (Level 1) to Advanced Threat Protection (Level 3). Each level is aligned with the type and sensitivity of information a contractor handles—specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC is integrated into DoD contract requirements, with the required level specified in Sections L and M of Requests for Proposals (RFPs). This serves as a “go / no-go” decision point—meaning businesses must meet the appropriate level of certification to be eligible for contract awards.
The CMMC model integrates multiple established cybersecurity standards—including NIST SP 800-171 (Rev. 2), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others—into a single, unified framework. This approach ensures a consistent baseline of security across the Defense Industrial Base (DIB).
Beyond technical controls, CMMC also evaluates the maturity and institutionalization of an organization’s cybersecurity practices, ensuring that processes are not only implemented but effectively managed and maintained over time.
CMMC Program History
-
- 2010: Executive Order 13556 established the CUI Program to standardize how sensitive government information is handled.
- 2015–2016: The DoD implemented and revised DFARS clauses to require contractor compliance with NIST SP 800-171 by December 2017.
- 2019: The DoD Inspector General reported widespread non-compliance within the Defense Industrial Base (DIB).
- 2020: The National Defense Authorization Act (NDAA) directed the DoD to develop a formal cybersecurity assessment framework—laying the groundwork for CMMC.
- 2025: The DoD will begin full implementation of CMMC requirements in contracts to ensure cybersecurity compliance is verified and enforced.
CMMC Levels
What level of CMMC is right for me and my business?
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we know about the CMMC levels and their respective requirements:
What level of the CMMC will I need to get certified?
The level of CMMC certification your organization needs depends on the type of DoD information you handle — either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — and what your contract requires.
CMMC 2.0 is simplified into three levels, designed to protect sensitive information while reducing unnecessary burden on small and mid-sized defense contractors.
Level 1 — Basic Safeguarding of FCI
Designed for contractors who only handle FCI.
Requirements:
-
15 security requirements from FAR 52.204-21
-
Annual self-assessment performed by the contractor
-
Annual affirmation in SPRS
-
Results must be entered in SPRS
-
POA&Ms are not permitted
Validity: 1 year from assessment date
Level 2 — Protection of CUI
Designed for contractors handling CUI.
Requirements:
-
110 security requirements from NIST SP 800-171 Rev. 2
-
Assessment is either:
-
Self-assessment every 3 years OR
-
C3PAO third-party assessment every 3 years
→ Determined by the type and sensitivity of CUI in the contract
-
-
Annual affirmation in SPRS
-
Results entered into SPRS or eMASS depending on assessment type
-
POA&Ms permitted, must be closed within 180 days
-
Conditional CMMC Status allowed while POA&Ms are open
Validity: 3 years from assessment date
Level 3 — Advanced Protection of CUI
Applies to the highest-risk DoD programs impacted by advanced cyber threats.
Requirements:
-
All Level 2 requirements plus
-
24 additional security requirements from NIST SP 800-172
-
Assessed by DIBCAC every 3 years
-
Annual affirmation in SPRS
-
POA&Ms permitted, must be closed within 180 days
-
Requires Level 2 C3PAO Certification as a prerequisite
-
Conditional CMMC Status allowed while POA&Ms are open
Validity: 3 years from assessment date
Most small and medium-sized contractors will only need Level 1 or Level 2, while Level 3 will be limited to large prime contractors working on the most sensitive DoD programs.
When will CMMC contract requirements begin?
The final program rule (32 CFR) for CMMC 2.0 became effective on December 16, 2024. However, the contractual requirement for new Department of Defense (DoD) solicitations and contracts begins November 10, 2025, when the 48 CFR/DFARS acquisition rule becomes enforceable.
How the rollout works
CMMC 2.0 will be implemented in a four-phase rollout for DoD contracts:
-
Phase 1 (Nov 10 2025): New solicitations may require CMMC Level 1 (self-assessment) or Level 2 (self-assessment) — and in some cases Level 2 third-party assessment.
-
Phase 2 (Nov 10 2026): Applicable solicitations/contracts begin requiring Level 2 third-party certification.
-
Phase 3 (Nov 10 2027): Broader Level 3 requirements apply and option periods/renewals incorporate CMMC clauses.
-
Phase 4 (Nov 10 2028): Full implementation — all applicable solicitations and contracts will include CMMC requirements as a condition of award.
What you should do now
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), start your readiness now: conduct a gap-assessment, identify your appropriate CMMC level, document your controls and self-assessment (or prepare for third-party when required), and ensure your SPRS (Supplier Performance Risk System) status is current. Missing readiness may mean ineligibility for future DoD contract awards.
How do I achieve CMMC compliance?
Defense contractors are not compliant with CMMC until they coordinate with an accredited and independent third-party certification organization to perform a CMMC audit. It is in contractors best interest to partner with an agency like Simpatico Systems to help them prepare for a CMMC audit.
What should I do to prepare for an audit?
- For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
- For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.
Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.
If you would like to speak with someone about preparing for a CMMC audit, give us a call at (855) 672-4800 to schedule a free consultation.
What should I do right now?
Whether you plan to manage compliance internally or work with a partner, the first step is understanding how close—or how far—you are from meeting the requirements of CMMC 2.0. The most effective way to begin is with a third-party gap assessment to identify weaknesses in your current systems, policies, and controls.
Without this gap analysis, it’s difficult to determine what updates or changes are necessary to meet your required CMMC Level. At Simpatico Systems, our experts use these findings to develop remediation plans that fix vulnerabilities and align your environment with current DoD cybersecurity expectations.
This assessment may support your in-house team’s remediation efforts or allow a trusted partner like Simpatico to manage the entire process for you.
As a CMMC-AB Registered Provider Organization (RPO), Simpatico Systems understands the urgency and complexity of compliance. We guide contractors through NIST SP 800-171 and CMMC requirements, ensuring your cybersecurity controls are properly implemented to protect Controlled Unclassified Information (CUI) and support a successful audit and certification.
CMMC CYBERSECURITY SERVICES
ready to take the next step?
Our expert team is here to help unlock new possibilities and drive success for your business.
CMMC Resources
The CMMC Final Rule Arrives: What Contractors Need to Do Before November 10, 2025
On September 9, 2025, the Department of Defense released its long-anticipated final rule...
The Defense Contractor’s CMMC Guide
The Defense Contractor's CMMC Guide Navigating Compliance, Certification & Risk...
CMMC Compliance Checklist for DoD Contractors
CMMC Checklist for DoD ContractorsYour Roadmap to CMMC Readiness Starts HereGET CMMC...