Government Regulations

Clarus Tech Partners can develop your GOVERNMENT Cybersecurity Programs 

CMMC & Nist

If your company provides products or services for the Department of Defense (DoD), you will be required to meet new cybersecurity standards and certification set by the Defense Federal Acquisition Regulation Supplement (DFARS).

DFARS provides a set of security controls to safeguard information systems where contractor data resides.  Currently, security is based on the National Institute of Standards and Technology (NIST), the NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations” and organizations will need to implement the security controls through all levels of their supply chain. 


However, the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and the DoD are now transitioning to the new Cybersecurity Maturity Model Certification (CMMC) framework, which combines standards from NIST, ISO and AIA, and will be required in Requests for Information (RFIs) starting in June 2020.  Self-certification will no longer be an option and CMMC will require a third-party audit and certification by a CMMC Third Party Assessment Organization (C3PAOs).








If your business works with the DoD, here’s what you need to know about the new mandatory cybersecurity certification.


What is CMMC? 

Cybersecurity includes risk management, incident response, physical security, employee awareness training, and more.

The new DoD Cybersecurity Maturity Model Certification (CMMC) Model builds on the existing NIST 800-171 and DFARS 252.204-7012 regulations and adds an auditor certification component.  It combines several cyber security standards and best practices to create a set of controls based on a required level of cybersecurity maturity.

The CMMC defines five cybersecurity “hygiene” maturity or readiness levels - from basic Level One to advanced Level Five for highly sensitive defense assets.



The CMMC Model

Different contractors will be held to different standards. There are five Cybersecurity Maturity levels depending on the expectations placed on the contractor for handling certain information.

These levels are cumulative, meaning that to achieve any level, a contractor will need to fulfill all the requirements for the levels before it.

  1.  Level 1 is the requirement for any contractor that does not handle controlled unclassified information (CUI). The focus of this level is safeguarding federal contract information (FCI).

  2. Level 2 serves as a transitional step for contractors that protect CUI, with maturity requiring the documentation of policies and the implementation of practices for protecting CUI.

  3. Level 3 is for contractors tasked with the protection of CUI.  Such contractors will need to show that they can establish, maintain and resource plans for protection.

  4. Levels 4 and 5 are the highest maturity standards in place for contractors that protect CUI. To achieve this level, not only will contractors need to show maturity in protecting CUI but reducing the risk of advanced persistent threats as well.  Such contractors will need to review and measure activities for effectiveness to reach Level 4 and standardize and optimize an organizational approach to reach Level 5. 

What's the CMMC Timeline?

  • June – Initial RFIs need to contain the CMMC requirement. Final rule making through Spring/Summer. 

  • September  Contractors submitting an RFP to the DoD will need to be CMMC certified.  


Contractors pursuing DoD work will need to start the certification process now in order to be certified when submitting a proposal.

WHO Does CMMC apply to?

  • All new Department of Defense contracts will require contractors – both prime contractors and subcontractors – to have Cybersecurity Maturity Model Certification (CMMC).


  • All companies, no matter how small or what product or service they provide, will have to be assessed and certified by a third-party auditor before they can submit a proposal according to the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).


  • The Cybersecurity Maturity Model Certification (CMMC) is a new Cybersecurity Maturity Model that aims to significantly enhance the cybersecurity and resiliency of its contractor network, creating a single cybersecurity standard for companies to meet.  


  • It ensures an appropriate level of cyber hygiene – which are the practices and steps that users of computers and other devices take to maintain system health and improve online security to ensure the safety of identity and other details that could be stolen or corrupted.

What does CMMC Cost?

  • The CMMC cost will scale with the level of certification required.

  • The cost of certification will be considered an allowable, reimbursable cost as part of the contract and will not be cost prohibitive.

  • The goal is for CMMC to be cost effective and affordable for Small Businesses.

  • By outsourcing the CMMC work to a qualified company, DoD contractors will save time and money in getting and staying CMMC compliant.

Key Steps to Compliance

Every company is different and your cybersecurity and compliance level should match your business.


Assessment: Conduct a current state assessment, determine the CMMC level and develop a Gap Analysis for CMMC.

Roadmap: From the Gap Analysis, develop a CMMC Roadmap, including a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M).

Remediation: Once all gaps are identified, fix them before setting a date with an auditor.

Prepare for Your Audit: CMMC will require a third-party audit and certification by a CMMC Third Party Assessment Organization (C3PAOs).


Clarus Tech Partners provides customized CMMC support. We can help you with your assessment, roadmap, remediation and prepare your business for your certification at all CMMC Levels 1 - 5.


Email us for more information or to talk about your company’s specific needs.


Read more about CMMC from the source at

How to Become CMMC Certified?

  • Determine the CMMC level required for your business.

  • Conduct a gap assessment to determine which areas you need to improve.

  • Remediate the gaps.

  • There will be no self-certification but will need to request and schedule a third-party audit and certification by a CMMC Third Party Assessment Organization (C3PAOs).

  • Your company will be awarded a level of certification by demonstrating the appropriate cybersecurity maturity to the auditors.

  • Certification is valid for 3 years.

schedule your consultation.
Consult with our team of experts at Clarus Tech Partners.  Contact us