Cybersecurity Maturity Model Certification (CMMC v2.0)

Simplifying Federal Regulations

Defense Industrial Base (DIB) contractors and organization seeking compliance (OSCs) that handle CUI must act now to ensure compliance with the new CMMC v2.0


What is CMMC

What does CMMC mean for your business?

  • Comply today; the requirement to comply is four years old.
  • The CMMC 2.0 combines various cybersecurity standards and best practices and maps these controls across 3 Maturity Levels (MLs).
  • The MLs build on each other, ranging from Foundational cyber hygiene to Expert.
  • For a given CMMC level, the associated controls (when implemented) will reduce risks against a specific set of cyberthreats.
  • It is IMPERATIVE for you to be compliant, making a FALSE CLAIM is a serious offense

Who must comply with CMMC guidelines?

ALL FEDERAL CONTRACTORS foreign and domestic delivering DoD products and services.

Primes and subcontractors.

With CMMC, rolling out in expedited fashion-
Why the Interim Rule and why NOW?

  • Hackers are not going to wait for contractors, subcontractors or vendors to get their cybersecurity whipped into shape to start a cyberattack. HACKERS DO NOT WAIT ON RULE-MAKING!
  • Exfiltration of sensitive data by malicious actors around the globe is a threat to both national and economic security.
  • The DoD is working with the Defense Industrial Base (DIB) to enhance protection of Controlled Unclassified Information (CUI) along the supply chain.

DFARS Interim Rule

"CMMC certification is your Driver’s
License on the

Coming lay-in of CMMC 2.0 has added new contracting requirements:

Three New Provisions:

  1. 7019: Advises contractors that they must maintain and report their NIST 800-171 compliance in the Supplier Performance Risk System (SPRS); also explains the three types of assessments/audits (Basic, Medium, High); already IN FORCE.
  2. 7020: Outlines the requirement of contractors to provide the Government access to its facilities if the DoD is renewing a contract or conducting a Medium or High assessment; already IN FORCE.
  3. 7021: Discusses integration of CMMC Maturity Levels 1-3


  • The SPRS Self-Assessment effectively reinforces Self-Attestation of NIST SP 800-171.
  • Have you completed your SPRS Self-Assessment?It was due December 31, 2017.
  • Currently included in MOST RFPs.
  • Not recommended that contractors wait; DoD wants ALL subs and primes to self-attest asap.
  • CMMC will roll out after rule-making, but until then, you MUST complete the SPRS self-assessment.
  • Location:


  • CMMC has been simplified, but it’s not going away
    • From five to three Maturity Levels (MLs)
    • ML 1 is now self-certifying; only if FCI is handled, vice CUI
  • DFARS 252.204-7012 & NIST 800-171 are still required today
    • No changes to clauses 7019 / 7020
    • SPRS self-attestation still mandatory; ML 2 & ML3
  • DoD enforcement to be more aggressive from DoD
    • Civil Cyber-Fraud Initiative will create more False Claim Act Participants
    • Expect more demanding flow-downrequirements from primes
    • Whistleblowers can report any contractor non-compliance!

Cybersecurity Maturity Model Certification v2.0

CMMC Model
CMMC Model 2

Cybersecurity Maturity Model Certification 2.0

  • Self-assessment at CMMC Maturity Level 1; this is self-attestation
  • Self-assessment allowed annually for CMMC ML2 contractors, but a formal 3rd party assessment by a C3PAO is required every 3-years.
  • Limited Plan of Action and Milestones (POAMs) and Waivers allowed
    • These will only be temporary waivers and will be difficult to attain.
    • The parameters for POAMS and waivers will be defined during the rulemaking stage, but OSCs will not be allowed to POAM the “heavily-weighted” controls.
    • POAMs are allowed under CMMC 2.0, for a 180-day period.
  • DoD certifications at CMMC Maturity Level 3 –an increased responsibility/role
  • Contractors are encouraged to comply with “heavily-weighted” NIST controls as soon as possible to be positioned for deluge of CUI being released under coming procurements

Benefits of NIST and CMMC Compliance

Increased Security

Being NIST800-171 compliant will significantly reduce the likelihood of a breach, and if you are breached it will decrease the impact of the breach

Competitive Advantage

Once you have put in the time, energy and money it requires to be NIST 800-171 compliant, you gain a competitive advantage over other businesses who are not.

Peace of Mind

You won’t lose sleep wondering if you are going to lose your contract and your reputation because you failed to comply.

CMMC 2.0 Takeaways

  • POAMs have changed DRAMATICALLY; now good for 180 days.
  • Most “heavily- weighted of the 110 controls” cannot be part of a POAM. Suggest identify these and commence maturity!
  • Prescription to comply with NIST SP 800-171 is found in almost 100 % of DoD Prime & Subcontracts
  • If so when you sign your contract you are self-attesting compliance with both FAR 52.204-21 and DFARS 252.204-7012.
  • Controlled Unclassified Information (CUI) will become routine in most procurements; expect a “flood” of CUI.
  • To gain access to CUI it will likely require the right Maturity Level or SPRS Score.
  • DOD primes will be the Strictest enforcers of NIST SP 800-171, latest revision. (per DFARS cites)..
  • If you rely on a 3rd Party MSP, that does not relieve you of compliance in any manner; suggest early meetings with MSP to discuss responsibilities and roles. MSPs must be DFARS, CMMC, NIST conversant!

To learn more about What is CMMC, The Guidelines and Certification

Download our CMMC v2.0 Guide

Bullet Point

Learn how you can secure your government contract and become CMMC v2.0 certified:

CMMC v2.0 Preparedness with CMMC Certified Petronella Tech (RPO)

The price of the formal CMMC v2.0 audits is not currently known, here at PTG, we have extensive experience implementing other similar requirements for contractors; requirements that are the backbone of the CMMC maturity levels, including NIST SP 800-171, NIST SP 800-172, NIST SP 800-53, DFARS 252.214-7012, 252.214-7019, 252.214-7020, etc.

Bullet Point

PTG has developed a unique approach in helping your company get 80% of the work done to prepare for the upcoming CMMC audits.

Bullet Point

PTG offers multiple options to fit every defense contractor's needs and budget.

Please contact us today to discuss the options we have available to help you pass your upcoming CMMC audit on the first try.