Win federal business by preparing for the CMMC certification with a Lazarus Alliance CMMC audit. Call +1 (888) 896-7580 today!
The Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers.
Lazarus Alliance, a certified C3PAO firm, will coordinate directly with your organization to schedule your CMMC assessment. Our certified C3PAO assessors will help identify the level of the certification based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity.
Cybersecurity Maturity Model Certification (CMMC)
CMMC continues to aim at verifying that DoD contractors and subcontractors implement and maintain cybersecurity practices to protect sensitive data in the Defense Industrial Base (DIB). It builds on standards like NIST SP 800-171 (Rev. 2) and FAR 52.204-21, shifting from self-attestation to verifiable assessments. As of October 2025, requirements are beginning to appear in DoD solicitations, with full rollout phased over three years (through 2028).
The Three CMMC Levels
The levels are tiered based on the type and sensitivity of data handled (FCI for non-sensitive contract info; CUI for sensitive but unclassified info). Each level specifies security requirements, assessment methods, and frequency:
- Level 1: Foundational (Basic Cyber Hygiene for FCI)
- Focus: Protects FCI from basic threats.
- Requirements: 15 basic security controls from FAR 52.204-21 (e.g., limit system access, use antivirus, screen users).
- Assessment: Annual self-assessment, with results posted to the Supplier Performance Risk System (SPRS). No third-party involvement.
- Applicability: For contracts involving only FCI (no CUI). Exemptions apply to commercial off-the-shelf (COTS) items.
- Timeline: Enforceable in solicitations starting late 2025.
- Level 2: Advanced (Intermediate Protection for CUI)
- Focus: Protects CUI against common cyber threats, aligning closely with NIST SP 800-171's 110 controls.
- Requirements: All 110 NIST 800-171 practices (e.g., multi-factor authentication, incident response planning, media protection).
- Assessment: Primarily third-party certification by a CMMC Third-Party Assessment Organization (C3PAO) every three years, with annual affirmations. Self-assessments are allowed for some lower-risk contracts via a Plan of Action and Milestones (POA&M) for minor gaps (must close within 180 days).
- Applicability: For most contracts handling CUI. This is the most common level for DIB organizations.
- Timeline: Third-party assessments begin in October 2026 for higher-risk contracts; self-assessments start in 2025.
- Level 3: Expert (Proactive Defense for High-Risk CUI)
- Focus: Defends against advanced persistent threats (APTs) with enhanced controls beyond NIST 800-171.
- Requirements: All Level 2 controls plus 24 additional NIST 800-172 practices (e.g., advanced threat detection, supply chain risk management, deception techniques).
- Assessment: Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), building on a prior Level 2 C3PAO certification. Every three years, with annual affirmations.
- Applicability: For a small subset of contracts involving highly sensitive CUI critical to national security.
- Timeline: Phased in starting 2026–2027, primarily for select high-priority programs.
Key Components
- Domains and Practices: Organized into 14 domains (e.g., Access Control, Risk Assessment) with capabilities and specific practices. Levels build cumulatively—Level 3 includes everything from Levels 1 and 2.
- Scoring and POA&Ms: For Levels 2 and 3, assessment scores implementation (100% required for full certification; partial scores allowed temporarily via POA&Ms). Level 1 requires all controls to be fully met.
- Affirmations: Senior officials must annually affirm compliance in SPRS throughout the contract lifecycle.
Implementation and Timeline (as of October 2025)
- Phased Rollout:
- Phase 1 (2025): CMMC clauses in ~5–15% of solicitations; focus on self-assessments for Levels 1 and some Level 2.
- Phase 2 (2026): ~20–50% of contracts; third-party Level 2 assessments ramp up.
- Phase 3 (2027+): All applicable contracts; full Level 3 integration.
- Certification Process: Assessments by accredited C3PAOs or DIBCAC; results valid for three years.
- Applicability: All prime contractors and subcontractors handling FCI/CUI; flows down via contract clauses.
Frequently Asked Questions
What is CMMC certification?
CMMC (Cybersecurity Maturity Model Certification) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and suppliers meet specific cybersecurity standards to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It includes five maturity levels, each with increasing security requirements.
What are the CMMC compliance requirements?
CMMC compliance requires organizations to implement cybersecurity practices and processes aligned with one of the five maturity levels, ranging from basic (Level 1) to advanced (Level 5). Compliance involves assessments by Certified Third-Party Assessment Organizations (C3PAOs) and adherence to NIST 800-171 standards for handling CUI.
How can small businesses achieve CMMC compliance?
Small businesses can achieve CMMC compliance by identifying their target level, conducting a gap analysis, implementing required controls, and working with CMMC consultants or C3PAOs. Resources like the CMMC Accreditation Body (Cyber AB) and tools like the CMMC checklist can help streamline the process.
What is the difference between CMMC and NIST 800-171?
CMMC incorporates NIST 800-171 controls but adds a maturity model with three levels and third-party assessments. NIST 800-171 focuses on protecting CUI with 110 security controls, while CMMC ensures progressive cybersecurity maturity and compliance verification.
What is a CMMC System Security Plan (SSP) template?
A CMMC System Security Plan (SSP) template is a structured document outlining an organization’s cybersecurity policies, controls, and processes to meet CMMC requirements. It helps organizations document compliance and prepare for assessments.
How can organizations prepare for a CMMC audit?
To prepare for a CMMC audit, organizations should conduct a gap analysis, implement required controls, document processes in an SSP, train staff, and engage a C3PAO for pre-assessments. Resources like the CMMC Assessment Guide and training programs support preparation.
Benefits of CMMC Compliance
CMMC (Cybersecurity Maturity Model Certification) compliance offers several benefits for organizations, particularly those working with the U.S. Department of Defense (DoD) or handling Controlled Unclassified Information (CUI). Below are the key advantages:
- Access to DoD Contracts: CMMC compliance is mandatory for organizations bidding on or maintaining DoD contracts. Achieving the required CMMC level (1-3, depending on the contract) ensures eligibility to work with the DoD, opening up significant business opportunities in the defense sector.
- Enhanced Cybersecurity Posture: CMMC provides a structured framework to implement robust cybersecurity practices. Compliance helps organizations protect sensitive data, such as CUI, against cyber threats, reducing the risk of data breaches, ransomware, and other attacks.
- Competitive Advantage: Demonstrating CMMC compliance signals to clients, partners, and suppliers that your organization prioritizes cybersecurity. This can differentiate your business in a competitive market, particularly when bidding for contracts that require high security standards.
- Risk Mitigation: By adhering to CMMC requirements, organizations reduce vulnerabilities and improve their ability to detect, respond to, and recover from cyber incidents. This minimizes financial, legal, and reputational risks associated with data breaches or non-compliance penalties.
- Improved Trust and Credibility: Compliance with CMMC builds trust with the DoD, other government agencies, and commercial partners. It shows a commitment to safeguarding sensitive information, enhancing your organization’s reputation as a secure and reliable partner.
- Streamlined Security Processes: CMMC encourages the adoption of standardized, repeatable cybersecurity practices. This leads to more efficient operations, as organizations implement consistent policies, procedures, and controls tailored to their maturity level.
- Alignment with Industry Standards: CMMC is built on existing frameworks like NIST 800-171, ISO 27001, and others. Compliance ensures alignment with widely recognized cybersecurity standards, which can facilitate compliance with other regulations or certifications.
- Long-Term Cost Savings: While achieving CMMC compliance requires upfront investment, it can reduce costs associated with cyber incidents, legal liabilities, and lost business due to non-compliance. A proactive cybersecurity approach minimizes the likelihood of costly disruptions.
- Scalability and Flexibility: CMMC’s tiered maturity levels allow organizations to scale their cybersecurity practices according to the sensitivity of the data they handle. This ensures that small and medium-sized businesses can achieve compliance without overwhelming resource demands.
- Supply Chain Security: CMMC compliance strengthens the overall security of the DoD supply chain by ensuring all contractors and subcontractors meet minimum cybersecurity standards. This collective effort reduces systemic risks across the defense industrial base.
In summary, CMMC compliance not only ensures access to DoD contracts but also strengthens an organization’s cybersecurity, reputation, and operational efficiency, providing both immediate and long-term benefits. For specific details on implementation or costs, organizations can refer to resources like the DoD’s CMMC website or consult with certified CMMC assessors like Lazarus Alliance.
Talk with one of our experts
Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.
We're here to answer any questions you may have.
Questions, Concerns, Complaints, and Appeals
The Dispute Resolution Process is reviewed by Lazarus Alliance management annually or as changes are necessary.
General Administrative Requirements
- Authorized and Accredited C3PAOs like Lazarus Alliance shall have a documented process to receive, evaluate, and make decisions on appeals in accordance with these requirements. (ISO/IEC 17020 7.5.1)
- A description of the Authorized and Accredited C3PAO’s internal handling process for appeals shall be available to any interested party upon request. (ISO/IEC 17020 7.5.2)
- The handling process for appeals shall include at least the following elements and methods:
- A description of the Authorized or Accredited C3PAO’s process for receiving, validating, investigating the appeal, and deciding what actions are to be taken in response to it;
- The process for ensuring that an Authorized or Accredited C3PAO’s appropriate actions are taken in a timely manner. (ISO/IEC 17020 7.6.1)
- The process for the Authorized or Accredited C3PAOs tracking and recording appeals, including actions undertaken to resolve appeals, is entering the appeal data into the CMMC Enterprise Mission Assurance Support Service (eMASS)
- Authorized and Accredited C3PAOs shall acknowledge receipt of the appeal and shall provide the appellant with progress reports and the outcome. (ISO/IEC 17020 7.6.3)
- Authorized and Accredited C3PAOs receiving the appeal shall be responsible for gathering and verifying all necessary information to validate the appeal. (ISO/IEC 17020 7.6.2)
- All appeals submitted by an OSC to an Authorized or Accredited C3PAO shall be reviewed and approved by a Certified Assessor or Quality Control staff member not involved in the original inspection activities in question.
- Authorized or Accredited C3PAO reassessments and decisions on submitted appeals shall not result in any discriminatory actions against any individual or OSC filing the appeal. (ISO/IEC 17020 7.5.5)
Appeals
-
Upon receipt of a final assessment report from the Authorized or Accredited C3PAO, an OSC has the right to appeal the results of a CMMC assessment certification decision if the OSC believes their failure was attributed to:
-
Malfeasance
-
Unethical Behavior,
-
Error on behalf of the Authorized or Accredited C3PAO or the assessors who conducted the assessment.
-
-
Upon receipt of the final CMMC assessment report, an OSC has up to 14 calendar days to file an appeal requesting further adjudication of compliance with practices or processes that the organization disputes based upon the criteria outlined in 5.1.
-
Upon receipt of an OSC appeal, the Authorized or Accredited C3PAO shall record the appeal in CMMC eMASS and conduct a review of practices or processes in dispute.
-
Upon receipt of an appeal, the Authorized or Accredited C3PAO shall conduct a revaluation in coordination with the OSC. The C3PAO’s investigation may include a review of the OSC’s previously provided evidence, which has been hashed by the OSC, and consultations with the original assessment team and OSC personnel as required.
-
Upon receipt of the appeal, the Authorized or Accredited C3PAO will have 21 calendar days to conduct its reevaluation of disputed practices and processes and provide its adjudication decision to the OSC. Simultaneously, the Authorized or Accredited C3PAO shall upload the following information to CMMC eMASS:
-
Any amendments to its original assessment report based upon the findings of its re-evaluation
-
Name of team lead conducting the re-evaluation in support of the appeal
-
The outcome of the appeal
-
The C3PAO approving authority for reevaluation and the outcome of the appeal
-
-
Should the OSC refute or oppose the adjudication decision of their Assessment Appeal by the C3PAO, they may elevate their appeal to the Cyber AB. The OSC must elevate its appeal to the Cyber AB within ten (10) business days of receiving the adjudication decision of their Assessment Appeal by the C3PAO in writing.
All appeals rendered by The Cyber AB’s Ethics and Compliance Committee are final.
Questions, Concerns, Complaints, and Appeals form