Cybersecurity Maturity Model Certification

By now, you've probably heard that CMMC compliance will be required for any company working on a DoD contract. It may sound like just one more cyber framework to manage, but there is one important difference — verification. Existing government regulations for cybersecurity were largely driven by trust, but your CMMC practices and processes must be verified through an assessment.

Meet the New Security Standard

  • Some DoD contracts will require CMMC compliance as early as 2021, especially those dealing with Controlled Unclassified Information (CUI).
  • There are a limited number of organizations licensed to help 300,000+ defense contractors and vendors prepare for CMMC.
  • Certification is not a one-time thing. Companies must re-certify with the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) every three years.

Get ready for the CMMC Assessment

  • Save on both costs and level of effort by certifying members of your team.
  • Prepare for the CMMC assessment now without waiting for consultants to get up to speed.
  • Continually prepare your networks for CMMC compliance — now and when you have to re-certify.

How it Works

Certified Professional is the first step to building a CMMC maturity capability for your organization. But it’s also a pre-requisite to becoming a Certified CMMC-AB Assessor or Instructor.

Step 1

Apply with CMMC-AB

Make sure you qualify and apply online at to become a CMMC-AB Certified Professional.

Step 2

Take the training

Complete required Certified Professional exam training with a CMMC Licensed Training Provider (LTP).

Step 3

Pass the exam

Successfully complete the CMMC-AB Certified Professional exam and move on to Certified Assessor, if you choose.

Frequently Asked Questions

Cybersecurity Maturity Model Certification (CMMC) is a standard created to enhance the collective security of the Department of Defense (DoD) as well as any private sector organizations that conduct business with, or on behalf of, the DoD. CMMC was originally a five-tier model released by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S) to improve and standardize cybersecurity practices across the Defense enterprise. It was drafted collaboratively with University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry experts.

Established in January 2020, the CMMC Accreditation Body (CMMC-AB) is responsible for certifying organizations and professionals against the new CMMC standards. It is the “sole authoritative source” for operationalizing CMMC Assessments and Training.

To receive CMMC certification, DoD contractors must be verified by a third-party assessment organization (C3PAO) or individual assessors known as Certified Professionals (CPs) and Certified Assessors (CAs). CPs and CAs are trained and tested by licensed training providers to evaluate an organization's cybersecurity health, identify holes or weaknesses, and determine if a company is CMMC compliant.

CP is the first step in training and allows one to become part of the assessment team and learn the fundamentals of CMMC. CAs are the "foot soldiers" of CMMC. They are credentialed to conduct CMMC assessments and supervise CPs.

The CMMC roll-out will be a phased approach, starting with companies that work with Controlled Unclassified Information (CUI). For those organizations, CMMC requirements will start as early as 2021. DoD officials have said all suppliers, contractors, and sub-contractors must be CMMC compliant by 2025, allowing time for organizations to be assessed by accredited inspectors and for inspectors to receive the proper training.

In 2021, changes are expected to be announced to version 1.0 of the CMMC framework that was released in January 2020, but it is not expected that those changes will have any impact on the overall implementation timeline.

Starting in 2025, all DoD vendors will have to be at least CMMC Maturity Level 1 certified. Organizations handling CUI will need to be CMMC Maturity Level 3 certified. Organizations should review the CMMC maturity model to understand the exact level they will require based on these factors, as well as on CTI and export restrictions, among other factors.

Prior to 2025, required CMMC Maturity Level will be dependent on the specific contract opportunity, as determined by the DoD. The required CMMC level will be specified in the Requests for Information (RFIs) and Requests for Proposals (RFPs) for each contract.

CMMC certification requires assessment by an authorized organization. You cannot self-certify for CMMC.

When you're ready to be assessed, simply select one of the Authorized CMMC Third-Party Assessor Organizations (C3PAOs) from the CMMC-AB Marketplace website. The selected C3PAO will coordinate and plan your company's CMMC assessment with a Certified Professional (CP) and Certified Assessor (CA) as well as complete appropriate contractual agreements. Following the assessment, the C3PAO will provide a report and, if there are no deficiencies, issue your company the appropriate CMMC certificate. Most compliance certificates are valid for three years, at which point your company will need a new assessment to recertify.

You can learn more about CMMC and the CMMC-AB on OUSD A&S' dedicated website. There are a number of guides and resources with additional information on CMMC.

You can also find a number of tools, including a list of accrediated organizations able to help you on your CMMC journey, on the CMMC-AB website.

In the Press