Cybersecurity Maturity Model Certification (CMMC)


25 years of validated pre-certification results
25 years of risk assessment bonafides

Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program that serves as a framework to enforce Defense Federal Acquisition Regulation Supplement (DFARS) requirements as well as NIST SP 800-171 and 172. In order to better ensure national security, there are five distinct Levels of CMMC Certification:

Level 1 — defense contractors must exhibit basic cyber hygiene, to achieve CMMC Level 1 certification. This practice establishes a security foundation for the subsequent Levels of the model and must be completed by all certified organizations. Level 1, which includes 17 controls, is achievable for smaller companies and includes a subset of universally accepted common security practices. Organizations must demonstrate that they have implemented effective security controls and that they have the ability to protect Federal Contract Information (FCI). CMMC Level 1 is the basic DFARs cybersecurity clause in most DoD contracts.

Level 2 introduces maturity into CMMC. The two processes for CMMC Level 2 are to establish a policy around each of the CMMC domains and to document that your practices implement the policy. CMMC Level 2 also adds 55 practices on top of the 17 CMMC Level 1 practices, for a total of 72 cybersecurity controls. It is NOT expected that there will be many DoD contracts with a CMMC Level 2 requirement. CMMC Level 2 was designed as a bridging solution between CMMC Level 1 and Level 3.

Contact us NOW to get started today.


Level 3 organizations must demonstrate that they have implemented effective security controls and that they have the ability to protect Controlled Unclassified Information (CUI). This includes compliance with all security requirements of NIST 800-171 and DFARS Clause 252.204.7012 plus 20 Delta cyber practices based on other frameworks and best practices. Effectively, Level 3 is demonstrated implementation of all Level 1 and 2 policies and procedures and requires continuous control monitoring. The maturity process of CMMC Level 3 equals Managed.

Level 4 covers proactive measures to safeguard CUI from Advanced Persistent Threats (APTs). These are mostly nation state-sponsored threat actors who are highly dangerous to the nation’s security. This Level requires compliance with 110 NIST 800-171 Requirements plus 46 other practices across all 17 domains of the CMMC model.

Level 5 is “optimization.” Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1–4. Organizations must have an advanced or progressive cybersecurity program in place.


Churchill & Harriman helps you achieve certification through the following processes:

Identification of the appropriate CMMC scope to help you understand the applicable control environment required.

Performance of a gap analysis against CMMC requirements and the existence and use of those controls. This will give a clear understanding of how close, or how far away, your organization may be from meeting the minimum requirements outlined in the appropriate CMMC Level. This review will highlight inadequate systems, processes, network and procedures that may not satisfy all of the required controls. The gap analysis will expose issues such as:

  • How access to information systems is controlled.
  • How managers and information system administrators are trained.
  • How data are stored.
  • How security controls and measures are implemented and enforced.
  • How incident response plans are developed and implemented.
  • What maturity processes are required for each CMMC Level.

Without a proper gap analysis, it would be impossible to know what changes an organization might need to make before it meets the required CMMC Level.

The creation of a remediation plan is based on the findings outlined in the Gap Assessment. The roadmap may involve small, quick fixes to a network and/or its processes, or it may involve the more extensive development of compliant networks and processes to meet current cybersecurity standards.

Knowing what needs to be addressed will make it easier for DoD Contractors to make necessary changes to their systems to ensure compliance and their continued ability to be considered for government contracts.

CMMC Advisory Services

Churchill & Harriman will provide assistance in achieving compliance and being prepared for the CMMC Assessment. We will provide a clear implementation track — from helping with policies, practices/procedures, plans, to recommending suitable controls.

Services include:

  • Advise your Board of Directors and your technical team on all subjects leading to complete pre-certification readiness.
  • Gap Assessments
  • Determine if CMMC applies to your organization and, if so, to what Level — all companies with DoD contracts will have to be CMMC certified, be it enterprise, business line or enclave.
  • Identify how your current compliance to NIST 800- 171 and 172 or NIST 800-53 maps to the CMMC requirements.
  • Develop and execute a roadmap to complete pre-certification readiness.
  • Development of any or all of the required security documentation.
  • Review of your remediation approach and revalidation of full pre-certification readiness.
  • Assistance with CMMC assessment coordination; if acceptable by the auditor, C&H is prepared to stand by your company during your CMMC assessment to assist you through the actual on-site audit.

For More Information