Welcome to the World of CMMC

Your guide to understanding CMMC (Cybersecurity Maturity Model Certification) & why you need it.

The Cybersecurity Maturity Model Certification is a new requirement for DoD contractors and subcontractors. It brings together a number of older cybersecurity requirements to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Play Video

There are two major differences between the CMMC and older cybersecurity requirements:

  •  First, contractors will be audited by third-party assessors (the so-called Certified 3rd Party Assessment Organizations, or C3PAOs for short) based on the requested audit level, the C3PAO will determine if the contractor passes or fails the audit. In other words, the CMMC will not contain any self-attestation component, although contractors are encouraged to complete a self-assessment prior to scheduling a CMMC certification.
  • Second, the CMMC defines five certification levels as a more flexible alternative to previous one-size-fits-all approaches. It’s up to contractors to pass an audit at the level specified in Requests For Information (RFIs) and Requests for Proposals (RFPs).



The first full version of the CMMC was published on the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment in January 2020, and all DoD contractors should expect to start seeing CMMC requirements as part of the RFP process from September 2020.

Eventually, all DoD contractors and subcontractors that handle FCI and CUI will be required to obtain a CMMC certificate.

Only contractors that provide commercial off-the-shelf products and don’t handle any CUI won’t be required to achieve one of the five levels of certification.


The most important CMMC dates you need to be aware of include:

  • January 2020: The introduction of CMMC Version 1.0.
  • June 2020: The release of requirements and the opening of registration for C3PAOs.
  • September 2020: DoD starts incorporating CMMC requirements in RFPs.
  • 2021 – 2025: The implementation of the CMMC through a phased rollout.
  • 2026: CMMC certification will become a requirement for all contractors doing business with the DoD.

Waiting until the due date to get your CMMC certification can lead to numerous missed opportunities. Those who have their CMMC now have the benefit of already meeting CMMC standards, proving to the DoD and those sourcing government contractors that you are already aligned with their goals and objectives. Build trust now so that your reputation is established long in advance of the 2026 deadline. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Top Cyber security myths

Top Cyber Security Myths: Part 2


It’s easy to oversimplify cyber security and assume you’re protected. There are a lot of myths out there, and we’re addressing the top myths you might face on a daily basis. Get ready to get debunked.

Read More »
IT Security

Top Cyber Security Myths: Part 1


In our digital world, where everything about us and our businesses exists in a digital format, cybercrime and data loss are potentially the biggest threats to the success of your business. Cybercrime is on the rise and small and mid-sized businesses continue to be targeted. Let’s address the top cybersecurity myths so you know how to target your business security needs.

Read More »

Don’t Stop Here

More Useful Security Information