Cybersecurity Maturity Model Certification (CMMC)
Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB).
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense cybersecurity program designed to ensure that contractors and subcontractors meet required safeguards to protect sensitive government data.
CMMC focuses on protecting:
- Federal Contract Information (FCI): Non-public information related to government contracts.
- Controlled Unclassified Information (CUI): Sensitive information that requires safeguarding as defined by law, regulation, or government-wide policy.
Why CMMC Matters
- CMMC strengthens cybersecurity across the entire defense industrial base.
- Certification is becoming a requirement to win or maintain DoD contracts.
- Cybersecurity expectations are standardized across prime contractors and subcontractors.
- It reduces the risk of unauthorized access to sensitive national security information.
CMMC 2.0 — The Three Certification Levels
Level 1 – Basic Safeguarding (FCI)
- 15 basic cybersecurity practices.
- Protects Federal Contract Information.
- Annual self-assessment and annual affirmation required.
- No POA&Ms allowed at this level.
Level 2 – Advanced (CUI)
- 110 practices aligned with NIST SP 800-171.
- Protects Controlled Unclassified Information.
- Assessment may be self-assessment or performed by a certified third-party assessment organization (C3PAO) depending on contract requirements.
- Annual affirmation with full assessment every 3 years.
- POA&Ms permitted for certain requirements.
Level 3 – Expert
- Includes all Level 2 practices plus enhanced security controls aligned with NIST SP 800-172.
- Designed to protect CUI from advanced persistent threats (APTs).
- Government-led assessment every 3 years.
- Annual affirmation required.
Assessment & Certification Process
CMMC ensures that organizations meet a defined level of cybersecurity maturity before being awarded a DoD contract. The required level is specified in each solicitation based on information sensitivity and program risk.
- Self-Assessments: Required for Level 1 and allowed for certain Level 2 contracts.
- C3PAO Assessments: Independent assessments for sensitive Level 2 environments.
- Government Assessments: Required for Level 3 certification.
A phased rollout introduces CMMC requirements gradually. Contractors are strongly encouraged to prepare early to avoid delays during contract award cycles.
Plans of Action & Milestones (POA&Ms)
POA&Ms are allowed for Level 2 and Level 3 certifications when certain requirements are not fully implemented at the time of assessment. Organizations must close POA&Ms within a defined timeline and complete follow-up verification.
Level 1 does not allow POA&Ms — all practices must be met at the time of assessment.
Implementation Timeline & Phased Rollout
CMMC implementation is being introduced in phases over several years. Each phase adds requirements into DoD solicitations, from self-assessments to full third-party and government-led certification.
Contractors should assess readiness early to ensure they are eligible for future solicitations.
What Your Organization Should Do Now
- Identify whether you handle FCI or CUI.
- Determine which CMMC level aligns with your contract goals.
- Complete a readiness gap assessment against CMMC/NIST requirements.
- Develop or update System Security Plans (SSPs) and required policies.
- Implement technical and procedural remediation steps.
- Adopt tools that streamline evidence gathering and continuous compliance.
How ComplySec360 Makes CMMC Easier, Faster & Cost-Effective
ComplySec360 is designed to simplify your CMMC compliance journey from readiness to certification and ongoing monitoring. With built-in automation, policy generation, evidence collection, and continuous control monitoring, it reduces time, complexity, and cost traditionally associated with CMMC.
- AI-powered Readiness Assessment: Instantly map your environment against CMMC requirements and identify gaps.
- Automated Evidence Collection : Integrate with cloud, endpoint, identity, and DevOps tools to collect evidence continuously.
- System Security Plan (SSP) Automation : Generate and maintain SSPs, POA&Ms, and required documentation effortlessly.
- Centralized Policy Builder: Create, update, and distribute required CMMC policies and procedures with AI-driven templates.
- Continuous Monitoring Dashboard : Track control effectiveness, remediation actions, user access, device compliance, and threat signals in real time.
- Auditor-Ready Workspace : Give assessors access to the right documents and evidence securely and efficiently.
- POA&M Management : Easily document, track, and close POA&Ms with automated reminders and progress tracking.
- Affordable for Startups & SMBs : Pay-as-you-grow plans designed to support smaller DoD suppliers who need CMMC quickly but cost-effectively.
Whether you’re targeting Level 1, Level 2, or Level 3, ComplySec360 acts as your always-on compliance partner—reducing audit fatigue, streamlining assessments, and ensuring you remain mission-ready year-round.
CMMC Assessment Guides –
Downloadable Resources
Use these practical guides to understand scope, assessment activities, and evidence expectations for each CMMC level. Share them with your internal teams and external partners.
CMMC Level 1 Assessment Guide
- A concise guide to Level 1 self-assessments: practices, required artifacts, scoring, and annual affirmation steps for organizations handling FCI only.
- Format: PDF | Ideal for executive, IT, and compliance teams.
CMMC Level 2 Assessment Guide
- Detailed coverage of NIST 800-171–aligned practices, assessment methods, POA&M rules, and evidence expectations for CUI environments requiring Level 2.
- Format: PDF | Ideal for security, compliance, and system owners.
CMMC Level 3 Assessment Guide
- An advanced guide for organizations facing Level 3, focusing on enhanced controls, APT-focused requirements, and government-led assessment expectations.
- Format: PDF | Ideal for high-risk programs and senior security leaders.
CMMC Level 1 Assessment Guide
- A concise guide to Level 1 self-assessments: practices, required artifacts, scoring, and annual affirmation steps for organizations handling FCI only.
- Format: PDF | Ideal for executive, IT, and compliance teams.
Download Level 1 Guide
CMMC Level 2 Assessment Guide
- Detailed coverage of NIST 800-171–aligned practices, assessment methods, POA&M rules, and evidence expectations for CUI environments requiring Level 2.
- Format: PDF | Ideal for security, compliance, and system owners.
Download Level 2 Guide
CMMC Level 3 Assessment Guide
- An advanced guide for organizations facing Level 3, focusing on enhanced controls, APT-focused requirements, and government-led assessment expectations.
- Format: PDF | Ideal for high-risk programs and senior security leaders.
Download Level 3 Guide
Our Authorized Assessors and Auditors
We collaborate with Authorized C3PAOs, CMMC Lead Assessors (CCAs), CMMC Certified Professional (CCPs) to deliver integrated platform, readiness, and accredited assessment support—combining expert guidance and automation to achieve audit-ready security and compliance outcomes.
Matthew Titcombe
CMMC Therapist™ | Lead CMMC Certified Assessor | Authorized C3PAO
Matthew Titcombe is a CMMC Certified Assessor (CCA) and President of Peak InfoSec, an Authorized CMMC Third-Party Assessment Organization (C3PAO). Known as the “CMMC Therapist™,” he helps defense contractors transform struggling security programs into executive-led, audit-ready operations.
Matthew also serves as the Vice-Chairman for the CMMC Information Institute, a nonprofit organization that helps Organizations Seeking CMMC Certification (OSCs) cut through the fog of misinformation surrounding CMMC.
Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business (SDVOSB) headquartered in Colorado, focused on employing veterans. The firm delivers CMMC and NIST SP 800-171 assessments, penetration testing, compliance audits, security architecture, product sourcing, deployment, optimization, and ongoing security operations support for organizations across the Defense Industrial Base.
Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business Peak InfoSec is a Department of Veterans Affairs Certified Service-Disabled Veteran-Owned Small Business
John Shamasko
CMMC Jesus | Lead CMMC Assessor | CISSP | CIPM
John is a Lead CMMC Certified Assessor with extensive JSVA and DIBCAC High assessment experience, formally trained by The Cyber AB. He serves as Vice Chair of the Assessment Guidance Committee within the C3PAO Advisory Council, helping shape national assessment standards.
John is the Lead Assessor at The CMMC Team (C3PAO), a certified organization comprised of Cyber AB–trained Certified CMMC Assessors, Certified CMMC Professionals, and Registered Practitioners supporting organizations in achieving CMMC compliance and readiness.
Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered Practitioner. He lives in New Jersey with his wife, two children, and a dog named Rocky. Information Security Manager (CISM) and a CMMC Registered Practitioner. He lives in New Jersey
Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered Raj holds a degree in Mechanical Engineering from University of Madras. He is a Certified Information Security Manager (CISM) and a CMMC Registered
Raj holds a degree in Mechanical Engineering from University of Madras.