CMMC Certification
Is No Longer Optional
The DoD's Cybersecurity Maturity Model Certification is now a mandatory, contractually binding condition for award on applicable defense contracts. GiaMetrics gets you certified — and keeps you certified.
The 48 CFR Acquisition Rule is now in effect. CMMC clauses are appearing in new DoD solicitations. Contractors without certification are ineligible for award. Full rollout completes November 2028.
Live Intelligence
The Threat Landscape — Right Now
Real-time data from CISA and NIST — updated every time this page loads.
Background
What Is CMMC — And Why Does It Matter Now?
CMMC is the DoD's unified framework to protect the Defense Industrial Base from cyber threats targeting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). After years of development, it became mandatory in November 2025.
Protects CUI and FCI
If your systems process, store, or transmit Federal Contract Information or Controlled Unclassified Information, CMMC applies to you — and to every subcontractor you use who touches that data.
Mandatory for Contract Award
Under DFARS 252.204-7021, contractors must hold a current CMMC certificate — valid no more than 3 years — as a condition of award. No certification, no contract. Compliance is tracked in SPRS.
Flows Down to Subcontractors
Prime contractors are responsible for ensuring their subcontractors also hold the appropriate CMMC level. Supply chain compliance is now a core contractual obligation, not an afterthought.
Annual Affirmation Required
A senior organizational representative must post an annual affirmation of continuous compliance in SPRS. Misrepresentation carries serious risk — including False Claims Act exposure and contract termination.
Certification Levels
Which CMMC Level Applies to You?
Your required level is specified in your DoD contract and depends on the sensitivity of information your systems handle.
Foundational
For organizations handling Federal Contract Information (FCI) only
- Basic cyber hygiene across 6 domains
- Annual self-assessment and affirmation in SPRS
- No third-party assessor required
- Access control, ID management, media protection, physical protection, system integrity
Advanced
For organizations handling Controlled Unclassified Information (CUI)
- Full alignment with NIST SP 800-171 Rev. 2 — 110 requirements, 320 assessment objectives (for Level 2 CUI protection); federal systems additionally governed by NIST SP 800-53
- Third-party C3PAO assessment required for most CUI contracts
- System Security Plan (SSP) and POA&M documentation required
- POA&Ms permitted for certain non-compliant items
- Certificate valid 3 years; annual affirmation required
Expert
For the most critical national security programs
- Builds on Level 2 with additional NIST SP 800-172 requirements
- Government-led assessments by DIBCAC
- Targets advanced persistent threat (APT) defense
- Continuous monitoring and proactive threat hunting required
Rollout Schedule
The 4-Phase CMMC Timeline
CMMC requirements roll out across DoD contracts in four phases through 2028. Where your contracts fall in this schedule determines your urgency.
Phase 1 — Enforcement Begins
CMMC requirements now appear in applicable new DoD contracts. Level 1 and Level 2 self-assessments required on applicable solicitations. A valid certification is required for award — there is no grace period.
🟢 Active NowPhase 2 — C3PAO Assessments Required
DoD solicitations and contracts may require Level 2 certificates issued by Certified Third-Party Assessment Organizations (C3PAOs) for CUI-sensitive work. Begin C3PAO preparation at least 6 months ahead.
ApproachingPhase 3 — Level 3 Enters Scope
Higher-sensitivity programs may require Level 2 C3PAO assessments and/or Level 3 government-led DIBCAC assessments. Contractors on critical programs should anticipate Level 3 requirements entering their contracts.
Planning StagePhase 4 — Full Mandatory Compliance
All applicable DoD contracts must include the required CMMC level as a condition of award. No waivers, no exceptions. If you haven't achieved certification, you cannot bid on applicable DoD work.
Full EnforcementHow GiaMetrics Helps
Certified Practitioners. End-to-End Support.
GiaMetrics holds Cyber AB certifications at all active practitioner levels. We work alongside your team to close gaps, build documentation, and prepare you for assessment — without disrupting your operations.
Gap Assessment & Readiness Review
We benchmark your current environment against your required CMMC level — mapping all in-scope systems, data flows, and vendors. You know exactly where you stand before an assessor walks in. Delivered as a prioritized remediation roadmap with real timelines.
SSP & POA&M Development
A complete, well-structured System Security Plan is foundational to your assessment. We develop and maintain your SSP and POA&M to the exact standards assessors expect — covering all 110 NIST SP 800-171 requirements for Level 2.
Control Implementation & Remediation
Gaps don't close themselves. Our team works directly with your IT and operations staff to implement missing controls — from access management and encryption to incident response and configuration management.
C3PAO Assessment Support (RP & CCP)
As Registered Practitioners and Certified CMMC Professionals, GiaMetrics staff coordinate with the C3PAO assessment team, manage evidence, and guide your personnel through interviews, document reviews, and observations.
Continuous Compliance & Annual Affirmation
Certification is ongoing. We help you build internal processes to maintain compliance year-over-year — managing control drift, supporting your annual SPRS affirmation, and preparing for triennial re-assessments.
Supply Chain & Subcontractor Compliance
Prime contractors are accountable for their subs. We assess your subcontractors' CMMC posture, update subcontract templates with proper flow-down clauses, and build a vendor compliance monitoring program.
Assessment Process
The CMMC Level 2 Certification Workflow
What the formal C3PAO assessment looks like from first contact to certificate — with defined milestones at each phase.
Confirm Scope — Entities, CAGE Codes & ESPs
The C3PAO verifies the legal entities to be assessed, collects CAGE codes, and determines whether External Service Providers fall within scope. Your assessment unique identifier (UID) is established.
Pre-AssessmentFrame the Assessment
Logistics, schedule, personnel, evidence accessibility, and the formal CMMC Assessment Scope are agreed upon. On-site vs. virtual assessment format is determined and confirmed with your SSP in hand.
Pre-AssessmentResolve Conflicts of Interest
C3PAOs must comply with ISO/IEC 17020:2012 impartiality requirements. A Lead CCA is proposed and approved. Any conflicts are disclosed, documented, and mitigated before the assessment proceeds.
Pre-AssessmentExecute Contractual Agreement & NDA
A formal written agreement including a mutual Non-Disclosure Agreement is executed between the C3PAO and your organization. The DoD and Cyber AB are not parties to this contract.
Pre-AssessmentPhase 1 — Pre-Assessment
The C3PAO evaluates whether your organization has sufficiently prepared — reviewing SSP completeness, documentation readiness, and control implementation status. Pre-Assessment Information Form submitted to eMASS.
Assessment Phase 1Phase 2 — Assessment Conformity
The core evaluation phase. All 110 NIST SP 800-171 requirements assessed across depth and coverage objectives via interviews, document reviews, and direct observation. Follows 32 CFR § 170.17 and NIST SP 800-171A.
Assessment Phase 2Phase 3 — Report Assessment Results
The assessment team finalizes findings, documents all evaluation results, and prepares the formal assessment report. Any POA&M items are identified. GiaMetrics helps you understand findings and build a strong remediation plan.
Assessment Phase 3Phase 4 — Issue Certificate & Close POA&Ms
The C3PAO issues a CMMC Level 2 Certificate of CMMC Status. Remaining POA&M items are closed. Your certification is recorded in SPRS and annual compliance affirmation begins.
Assessment Phase 4AI Security & NIST AI RMF
As DoD and federal agencies accelerate AI adoption, governance requirements are following fast. GiaMetrics® brings 8+ years of hands-on NIST AI RMF and Playbook implementation experience — governing AI systems through GOVERN, MAP, MEASURE, and MANAGE in cloud environments before it became a mandate.
Explore AI Security capabilities →Purpose to Promise
GiaMetrics® was built around a simple belief: when an engagement ends, the organization should be stronger — not dependent on us to stay compliant. Founder Lawrence M. Coclough's MSDL Master Coach philosophy shapes every CMMC engagement. Certification is the milestone. Capability is the goal.
Our story and leadership philosophy →Common Questions
CMMC FAQs
Is CMMC actually required right now?
How do I know what CMMC level I need?
What's the difference between CMMC 1.0 and CMMC 2.0?
Do CMMC requirements flow to my subcontractors?
What if my organization isn't fully compliant yet?
How long does CMMC Level 2 certification take?
What is SPRS and why does it matter?
Get Started
Let's Talk About Your CMMC Journey
Our team works with small and mid-size DoD contractors to achieve CMMC certification efficiently. Whether you're starting from scratch or need help closing gaps before an assessment, we're ready to help.
