Vancord logo

Who Needs CMMC Certification? 3 Things to Know

If you’re doing business with the Department of Defense, you’ve likely heard about the upcoming CMMC certification requirement and wondered, “Will my organization require certification?”. The short answer is yes, with a few caveats. Below, we outline three things to know. 


Attacks against the defense industrial database (DIB) are growing in numbers and sophistication in the form of ransomware, phishing, and state-sponsored attacks. Increasingly, malicious actors access Controlled Unclassified Information (CUI) through one of the 300,000 businesses across the DoD supply chain.

In response, DoD has developed the Cybersecurity Maturity Model Certification (CMMC) to ensure the supply chain’s integrity and protect the data within DoD systems. Unlike NIST SP 800-171, CMMC compliance includes assessments that assign a company maturity level to enable DoD contractors to protect CUI per their specific contract requirements.

All DoD contractors and subcontractors will require a CMMC certification at one of the five levels of CMMC, as determined by the companies’ access to CUI. While this new system may sound daunting, it’s simpler than it sounds. Read on for three things you need to know about who needs CMMC certification.

Which CMMC Level Do I Need?

The CMMC framework consists of five certification levels. Unlike the Defense Federal Acquisition Regulation Supplement (DFARS), the CMMC lets DoD categorize its vendors for contract eligibility, most of whom will need to meet CMMC requirements between Level One and Level Three.

  • Level One, Basic Cyber Hygiene, mandates basic cybersecurity hygiene practices, including regular password changes and the use of antivirus software.
  • Level Two, Intermediate Cyber Hygiene, requires a company to document, implement, and maintain advanced security protocols.
  • Level Three, Good Cyber Hygiene, includes all NIST SP 800-171 requirements, plus 20 additional practices to mitigate threats. 

Large (prime) contractors who contract directly with DoD will likely require certification at a higher level. 

When Will I Need To Be A CMMC-Certified Organization? 

Technically, you have until 2026 to be officially certified, but meeting the certification requirements will take some time for contractors, especially small- and medium-sized businesses. Unfortunately, DoD needed this level of compliance yesterday. The number and severity of attacks on the nation’s most sensitive data have never been greater for several reasons:

  • Too many access points for classified information

With over 300,000 companies and organizations doing business with DoD, there are innumerable potential access points for bad actors seeking to breach DoD systems.

  • Increase in ransomware, phishing attacks, and cyberattacks

As of 2018, the Pentagon was thwarting 36 million malicious emails daily from hackers, terrorists, and nation-states seeking access to military systems. That number has increased dramatically over the past several years.

  • Non-Compliance with DFARS

The 2015 Defense Federal Acquisition Regulation Supplement (DFARS) regarding cybersecurity was a “self-declaring” model, which many contractors were slow to adopt. With CMMC, the stakes are higher—only CMMC-certified organizations may participate in the DoD bid process.

What Should I Do Now To Prepare For CMMC Certification?

Threats to DoD cybersecurity are threats to national security. If you’re a contractor working with DoD or a subcontractor executing DoD projects, you need CMMC certification. The sooner you start preparing for CMMC compliance, the better.

Start by doing these two things:

1. Become familiar with CMMC requirements

Section 2.7.2 of CMMC Model One details key practices, similar to but not the same as NIST 800-53 or NIST 800-171.

2. Contact a trusted CMMC RPO

You will need a Registered Provider Organization (RPO) to help identify and remediate your NIST 800-171 and CMMC gaps to prepare you for meeting CMMC requirements. Look for an RPO with a strong background and experience in cybersecurity and an intimate knowledge of NIST-800-171 and DFARS.

Vancord is a CMMC Registered Provider Organization (RPO). We provide Gap Assessment and Remediation services, including third-party assessment of compliance with mandatory practices and procedures to prepare your business for CMMC certification. Request a meeting with our compliance experts today to get started. 

Cybersecurity Tips In Your Inbox.

Get notified when we have something important to share!