January 8, 2021

CMMC Audit

What is the CMMC?

While considered strong, the NIST 800-171 self assessment cybersecurity measures have been found lacking with time and testing. Thus the Department of Defense (DoD) has rolled out a new mandatory initiative for investors called the Cybersecurity Maturity Model Certification (CMMC). Led by the Office of the Assistant Secretary of Defense for Acquisition, this new initiative is designed to shore up some of the holes previously found in dealing with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Any organizations that deal with FCI, even if they don’t deal with CUI, must be CMMC Level 1 compliant and certified, which now can only be accomplished through an independent third-party audit.

While key areas of the CMMC Audit focuses on those similar to NIST 800-171, other inputs and sources for the new framework include NIST 800-53, Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2, and the Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”.

The audits will take place on-site and are evidence-based and reaching certain levels will be required to obtain certain federal contracts. If you are wondering about CMMC Best Practices or seeking a CMMC Consultant for CMMC certification, connect with us!

CMMC Certification Levels:

CMMC Level 1 – Basic Cyber Hygiene (17 controls): Basic cybersecurity controls that are appropriate for small businesses, but must confirm the accuracy of the 17 controls.

CMMC Level 2 – Intermediate Cyber Hygiene (72 Controls – contains level 1 controls): Contains universally accepted NIST SP and NIST CSF cybersecurity best practices.

CMMC Level 3 – Good Cyber Hygiene (130 Controls – contains level 2 controls): Includes coverage of all NIST 800-171 controls and additional CMMC components.

CMMC Level 4 – Proactive (156 Controls – contains level 3 controls): Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.

CMMC Level 5 – Advanced/Progressive (171 Controls – contains level 4 controls): Includes highly advanced cybersecurity practices and cybersecurity standards.


Fill out the form below and connect with an IT Global Services compliance expert.