Cybersecurity Maturity Model Certification (CMMC) Program Analysis

By Freed Maxick RAS Team on October 28, 2021

Stay up to date

Back to main Blog
Freed Maxick RAS Team


DoD Contractors and Subcontractors Must Protect Federal Contract Information and Controlled Unclassified Information, or …

Five LevelsThe Cybersecurity Maturity Model Certification (CMMC) is a program to ensure that specific types of unclassified sensitive data that are in existence outside of government systems is adequately protected. This certification program replaces the NIST SP 800-171 self-attestation that defense contractors (and subcontractors) perform today and applies specifically to Controlled Unclassified Information (CUI).

This program will significantly impact how many defense contracts are awarded and can have big implications for your organization. Click here for other blog posts on this topic and here for an overview of Freed Maxick services for helping companies achieve CMMC compliance. You can also access CMMC frequently asked questions here.

Here are five facts about CMMC that we discuss with our clients:

  • Uncertified Organizations Will Not Awarded DoD Contracts

Plans of Action or Mitigation (POAMs) are not allowed under the CMMC program. Uncertified organizations will not be awarded contracts with CMMC requirements unfulfilled; however organizations will be permitted to bid on contracts with CMMC requirements as long as they will receive their certification before beginning their work on the contract.

  • Compliance Advisors are not the Same as Compliance Auditors

The CMMC program is designed to ensure that there are no conflicts of interest. Consultants that advise contractors on how to comply with the CMMC are not able to perform that contractor’s CMMC assessment. Likewise, the CMMC certification assessor will not be able to provide any advice on how to achieve or enhance your CMMC compliance.

  • A CMMC Certification has a Three-Year Shelf Life

CMMC certifications will be valid for three years, so plan accordingly to recertify in that timeframe.

  • Only 15 Contracts Will be Certified in 2021, but ……

Only 15 contracts this year (2021) will require CMMC certification. Each year more contracts will be added requiring the certification until 2026, when all new contracts will require the appropriate CMMC certification.

  • The CMMC Compliance Dive May Not be as Deep as you Think

There are five different maturity levels for CMMC which include different processes and practices required within the CMMC framework. Most contractors will only be required to meet level 1 or Level 2 CMMC requirements.

Level 1: Perform 17 Cybersecurity Practices

Level 2: Perform and Document 72 Practices

Level 3: Perform, Document, and Mange 130 Practices

Level 4: Perform, Document, Manage, and review the effectiveness of 156 Practices

Level 5: Perform, Document, Manage, Review, and Optimize 171 Practices

Freed Maxick’s Third Party Readiness Review for CMMC Compliance

Freed Maxick is a Registered Provider Organization with a team of Registered Practitioners that will work with you and your organization to review your overall compliance with CMMC. By conducting a thorough examination of your organization’s IT environment and practices, we can help you navigate CMMC, identify weak areas in your current processes, and advise you on the most effective and efficient ways to prepare to become CMMC complainant.

Even though the CMMC is rolling out slowly, it will most likely take some time and investment by your organization to ensure you are compliant. If you would like help with preparing for CMMC compliance our Risk Advisory Services team can assist you. For more information on our risk consulting programs and services, please contact or call 585-314-2069.

New call-to-action

Stay up to date