top of page



The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements.

Am I ready for a CMMC audit?

What maturity level does my organization need to pursue?

We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only create documentation but also establish continuous monitoring and CMMC Assessment & Gap Analysis.

No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.

CMMC Assessment & Gap Analysis

This is your first step in preparing for CMMC compliance. We will perform a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total).

Depending on your organization’s infrastructure, we will complete the compliance assessment onsite or through remote access.

Upon completion of the CMMC assessment and gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns. build IT infrastructure to maintain your CMMC compliance. CMMC compliance.

CMMC System Security Plan
(Policies & Procedures) Engagement

For organizations that have more robust IT knowledge, we will work alongside their IT department to manage the compliance paperwork and procedures while they implement the CMMC measures.
The SSP Engagement includes writing and maintaining the CMMC SSP Plan (to meet ML 3.997, ML 2.998, & ML 2.999). We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.

CMMC 2.0 Three Levels Explained

CMMC 2.0 will replace the five-level model of CMMC 1.0 with three progressively more complex levels of cybersecurity requirements, each keyed to independently established standards (e.g., Federal Acquisition Regulation (FAR) requirements, NIST requirements). The new model will also increase oversight of third-party assessors and eliminate all “maturity” requirements and CMMC-unique practices.


CMMC 2.0’s “Foundational” Level 1 consists of companies that hold only Federal Contract Information (FCI), not Controlled Unclassified Information (CUI). CMMC 2.0 will require Level 1 contractors to adhere to 17 “basic cyber hygiene” security controls specified in the NIST Special Publication 800-171 (NIST SP 800-171).


CMMC 2.0’s “Advanced” Level 2 certification is based on the old CMMC “Level 3,” with a bifurcation of “prioritized acquisitions” and “non-prioritized acquisitions” in relation to the sensitivity of Controlled Unclassified Information (CUI) involved. Prioritized acquisitions will require an independent third-party assessment from a certified third-party assessing organization (C3PAO) every three years, while nonprioritized acquisitions will require only an annual self-assessment and certification. CMMC’s new Level 2 reduces the number of required controls to the 110 controls included in the NIST’s SP 800-171 Rev. 2 (NIST SP 800-171), thereby eliminating what are now 20 additional Level 3 CMMC 1.0 controls.


CMMC 2.0’s “Expert” Level 3 will replace existing Levels 4 and 5. Most notably, acquisitions at this level will require triennial government-led assessments (i.e., not by C3PAOs). Further, in addition to the 110 controls required for new Level 2, Level 3 certification will also require compliance with the controls in NIST’s SP 800-172. The decision to equate Level 2 and 3 controls with NIST standards is especially notable in relation to other efforts by the Biden administration to centralize further NIST’s role in federal cybersecurity, including under E.O. 14028.

Summary of Key Updates: CMMC 1.0 vs. CMMC 2.0

CMMC Model


Accelerate Your Advisory Services
with Caplock Security:

Caplock Security Logo Icon

We offer a pragmatic, hands-on approach tailored to meet your organization’s individual needs.

Caplock Security Logo Icon

We provide action-oriented recommendations designed to provide time to value in improving your security posture.

Caplock Security Logo Icon

We maximize your investment in Advisory Services through a framework of Workshops to Advisory Engagement to Security Assessment & Testing Services.

Caplock Security Logo Icon

Our Advisory Services team has decades of global experience with a deep understanding of Governance Risk & Compliance (ISO, NIST), Privacy regulations, and PCI DSS Compliance

bottom of page