Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework developed by the U.S. Department of Defense (DoD). The primary objective is to enhance the cybersecurity controls that are in place for organisations supplying the DoD, known as the Defense Industrial Base (DIB). The CMMC model aims to manage risk and verify that DoD contractors can safeguard information classed as Controlled Unclassified Information (CUI) and comply with NIST SP 800-171 DOD assessment requirements and some other cybersecurity requirements.

On September 10, 48 CFR, the CMMC Final Rule was published in the Federal Register. This is a significant milestone in the rollout of CMMC. From November 10, 2025, Cybersecurity Maturity Model Certification will take effect and become mandatory in new Department of Defense contracts.

Defence contractors should ensure they take proactive steps to be prepared for when the Final Rule takes effect. Do not underestimate the effort required. Achieving CMMC certification is a significant endeavour and insufficient preparation could result in a False Start and delays in obtaining certification.

As an authorised C3PAO, NSF can work with you. We have a range of services including mock CMMC assessments, Phase 1 CMMC pre-assessments and formal Phase 2 CMMC assessments.

There are three levels of the CMMC model. Each one represents a level of cybersecurity maturity and the certification process is different for each level.

Level 1
This level focuses on basic cybersecurity hygiene practises, such as access control and incident reporting. It's designed for organisation that handle Federal Contract Information (FCI). Through annual self-assessment and an annual affirmation, organisations required to meet Level 1 must demonstrate they can meet 15 requirements aligned with FAR 52.204-21.

Level 2
This level is designed for organisations that handle Controlled Unclassified Information (CUI). It requires them to comply with 110 practises aligned with NIST SP 800-171. A C3PAO assessment is required every three years (select programmes may require self assessment every three years) as well as an annual affirmation.

Level 3
This level is designed for organisations involved with critical DoD programmes. It requires them to comply with 110 requirements from NIST SP 800-171 and 24 from NIST SP 800-172. Every three years they must undertake a DIBCAC assessment and complete an annual affirmation to verify compliance with the 110 security requirements in NIST 800-171.

CMMC certification is required for organisations of varying sizes and from a diverse range of organisations in the Defence Industrial Base. NSF is ideally placed to support organisations of all sizes and from many different industries. Contact one of our team to learn how we can work with you to navigate this new and evolving regulatory landscape.

The CMMC certification process involves several key steps to ensure that organisations meet the necessary requirements for the relevant CMMC status level. Organisations are encouraged to start this process now.

1. Conduct a CMMC self-assessment: Organisations must conduct a thorough self-assessment to evaluate their current cybersecurity practises against the requirements of CMMC. This CMMC self-assessment helps identify gaps and areas for improvement. NSF can work with you to address any of these areas.
2. Third-party CMMC audit: Once the self-assessment is complete, organisations must engage an authorised third-party assessment organisation(C3PAO), such as NSF to evaluate their compliance with the CMMC requirements. This provides an objective evaluation of the organisation's cybersecurity posture. If you are ready, talk to us now to book this in.
3. CMMC affirmation: Upon successful completion of the third-party CMMC assessment, organisations will receive their CMMC certification. This is valid for three years, after which organisations must undergo re-assessment to maintain their CMMC status. NSF will be able to offer this service. In addition, an annual affirmation is required to verify compliance with the 110 security requirements in NIST 800-171 Revision 2.

NSF-ISR is an authorised C3PAO. We are listed in the CyberAB Marketplace and we are ready to work with organisations of all sizes to achieve compliance. Benefits of choosing NSF include:

• Dedicated expertise you can trust. Our CMMC professionals include a certified CMMC Provisional Assessor, certified CMMC Registered Practitioner and certified CMMC Professional.
• Auditing know-how. Our assessors are fully qualified lead ISO/IEC 27001 and NIST 800-171 auditors.
• A trusted supplier of information and cyber security services, beyond CMMC. We also provide certification to ISO/IEC 27001 and NIST 800-171, whose frameworks were used as the core to develop CMMC, as well as to ISO/IEC 20000-1 and CSA STAR.
• Independently accredited. We are an ISO/IEC 17021 accredited certification body and NSF, is ISO/IEC 27001 certified.