DoD Cybersecurity Maturity Model Certification (CMMC)

DoD’s new Cybersecurity Maturity Model Certification (CMMC) version 1.0 was published on 31 January 2020 (c.f.,

Peak InfoSec monitored and participated in the draft reviews of the new DoD compliance framework since its first draft.

Get Ready for Significant Changes

  • They added a new term form the Federal Acquisition Regulation–Federal Contracting Information
  • Demonstrating compliance will no longer be self-attestation–in other words, we are compliant because we tell you we are
  • Getting the “Certification” in CMMC will require a 3rd party audit.  This means you need to prove your compliance and be ready to do so before the Auditor arrives (hint, hint…What is an “Evidence Book”?
  • CMMC is looking at the Practices (is your firm doing what the compliance requirements require) and your firms Process Maturity Levels…
    • Do you have policies, plans, & procedures?
    • Have your resourced them?  Yep, they will want to understand your Information Security resourcing plan
    • Are you monitoring, measuring, and seeking ot improve your organization Information Security effectiveness
  • Expect a heavy supply chain focus.  The auditors will be reviewing your contracts with sub-contractors and any organizations that have access to FCI/CUI (hint, hint…Does our IT or Managed Service Provider (MSP) have to be compliant?)
  • There or more requirements from outside of NIST SP 800-171.

Find out more about the CMMC at…

For more information, please contact us at

Let’s Get Started

Information Security Turnaround Specialists