Cybersecurity Maturity Model Certification (CMMC)

Want to talk to a CMMC expert?

Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the Under Secretary of Defense for Acquisition and Sustainment to help protect the DoD supply chain which is currently experiencing significant cybersecurity risk.

CMMC Essential Knowledge

Previously, NIST 800-171 has been used to reduce the risk of cybercrime across the Defense Industrial Base. This approach is flawed as it tries to put cybersecurity in a one size fits all solution. Cybersecurity is not a one size fits all solution and therefore should not be managed as such. Data must be protected in accordance with the risk posed by Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC outlines five maturity levels that align domains, processes, capabilities, and practices with the specific sensitivity of the data (FCI or CUI).

CMMC is a 3rd party accreditation that must be delivered by a CMMC Third Party Assessment Organization (C3PAO). These organizations can be verified at CMMC-AB.

Registered Provider Organizations (RPO) and Registered Practitioners (RP) are trained resources that have been registered to provide non-certified consultative services. This means that the RPO and RP are not allowed to perform the official CMMC Certification as this process must be completed by a third party free from any conflict of interest. Silotech recommends verifying C3PAO organizations before selecting, performing and paying for a certification audit.

RPOs are organizations that have been reviewed and verified and operate by a code of ethics set forth by CMMC-AB. RPOs can be verified at CMMC-AB and should have the RPO badge visible on their website, email, or other social media outlets.

Who is CMMC for?

  • Cybersecurity Maturity Model Certification (CMMC) is for any and all DoD contractors (Prime or Sub) who are in support of the Defense Industrial Base (DIB) that transmit CUI. If your organization does not transmit CUI but possesses FCI, the organization is required to comply with FAR clause 52.204-21 and must be certified at least CMMC Maturity Level (ML) 1.

  • Companies that solely produce Commercial-Off-The-Shelf (COTS) products will not require a CMMC certification.

Why is it important? How will it impact my business?

It is estimated cybercrime costs over 600 billion dollars annually from global GDP. According to the Federal Government lost over 13.74 billion dollars in 2018 due to cybercrime. This impact has driven the DoD to rethink the way they manage their cybersecurity risk. Their response is CMMC regulation requiring Prime and Sub Contractors to become independently certified by C3PAO assessors.

CMMC certification is a 3rd party verification of controls, policies, and processes performed within your organization. Each ML has different controls that must be performed. It is imperative to know that any control that is required and not supported via evidence to the auditors constitutes a failure and will not be certified. Each ML also has its own process so be sure your organization knows the ML level required, is prepared for that ML assessment, and has evidence in order to prove the process or control is in place and operating as expected.

Many organizations are still trying to understand the CMMC process. Trying to defog all the smoke around this regulation can be a hassle. It is imperative that your organization does not wait to start their CMMC journey. Delaying your certification can impact your ability to compete for Government projects. In 2020 15 contracts are projected to require CMMC and identified MLs. This requirement will be for prime contractors and subcontractors. Do not let the lack of this certification be the reason your organization does not grow in 2021. Lastly, CMMC suggests operating at your ML for 6 months before scheduling your assessment. This will allow your organization the best chance to have all the evidence necessary to provide compliance to your specific ML.

CMMC_Maturity Levels_Processes_Practices.png

The CMMC lifecycle starts with the understanding that organizations need expert help to facilitate their journey through CMMC certification.

Best practice for organizations is to start by visiting CMMC-AB at to select a CMMC provider in your local area. You can search by name, city, or state. CMMC-AB provides this tool to help organizations ensure they are working with properly trained companies. Organizations should reach out to RPOs and ensure they have RPs attached to their profile. This can also be done at

CMMC-AB requires that RPOs have been vetted, verified, and confirmed by CMMC-AB as an organization that has been trained to perform self-assessments, has RPs attached to their organization, and has been given all the latest information on CMMC regulation as it pertains to obtaining your independent certification.

What do I do?

  • First step in the CMMC journey is to find a trusted RPO advisor that can provide advice on your next steps
  • Perform research at to ensure your trusted advisor has meet the criteria to be an RPO and is listed within the marketplace
  • Each RPO should have an RP who has been trained by CMMC-AB and is attached to your chosen RPO
  • This method will ensure your working with trained resources who have been trained by the CMMC-AB

What can Silotech do to help?

Silotech is an RPO and can be found in the CMMC-AB marketplace at: CMMC-AB Marketplace

Our RPs follow these basic steps:

  1. Self-assessments
  2. Remediation (POA&M)
  3. Schedule C3PAO Assessment
  4. Audit preparation

As an RPO, we will assist and support your organization in identifying gaps within your necessary maturity level. Silotech can:

  • Help you understand which capabilities are currently being met, which capabilities are planned, what needs to be prepared for, and which capabilities are currently not applicable
  • Assist in identifying gaps, creating a Plan of Action and Milestones (POA&M) to help manage the remediation process
  • Manage and provide hands-on remediation for any deficiencies documented in our self-assessment