Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework developed by the U.S. Department of Defense (DoD). The primary objective is to enhance the cybersecurity controls that are in place for organizations supplying the DoD, known as the Defense Industrial Base (DIB). The CMMC model aims to manage risk and verify that DoD contractors can safeguard information classed as Controlled Unclassified Information (CUI) and comply with NIST SP 800-171 DOD assessment requirements and some other cybersecurity requirements.

On September 10, 48 CFR, the CMMC Final Rule was published in the Federal Register. This is a significant milestone in the rollout of CMMC. From November 10, 2025, Cybersecurity Maturity Model Certification will take effect and become mandatory in new Department of Defense contracts.

Defense contractors should ensure they take proactive steps to be prepared for when the Final Rule takes effect. Do not underestimate the effort required. Achieving CMMC certification is a significant endeavour and insufficient preparation could result in a False Start and delays in obtaining certification.

As an authorized C3PAO, NSF can work with you. We have a range of services including mock CMMC assessments, Phase 1 CMMC pre-assessments and formal Phase 2 CMMC assessments.

There are three levels of the CMMC model. Each one represents a level of cybersecurity maturity and the certification process is different for each level.

Level 1
This level focuses on basic cybersecurity hygiene practices, such as access control and incident reporting. It's designed for organization that handle Federal Contract Information (FCI). Through annual self-assessment and an annual affirmation, organizations required to meet Level 1 must demonstrate they can meet 15 requirements aligned with FAR 52.204-21.

Level 2
This level is designed for organizations that handle Controlled Unclassified Information (CUI). It requires them to comply with 110 practices aligned with NIST SP 800-171. A C3PAO assessment is required every three years (select programs may require self assessment every three years) as well as an annual affirmation.

Level 3
This level is designed for organizations involved with critical DoD programs. It requires them to comply with 110 requirements from NIST SP 800-171 and 24 from NIST SP 800-172. Every three years they must undertake a DIBCAC assessment and complete an annual affirmation to verify compliance with the 110 security requirements in NIST 800-171.

CMMC certification is required for organizations of varying sizes and from a diverse range of organizations in the Defense Industrial Base. NSF is ideally placed to support organizations of all sizes and from many different industries. Contact one of our team to learn how we can work with you to navigate this new and evolving regulatory landscape.

The CMMC certification process involves several key steps to ensure that organizations meet the necessary requirements for the relevant CMMC status level. Organizations are encouraged to start this process now.

1. Conduct a CMMC self-assessment: Organizations must conduct a thorough self-assessment to evaluate their current cybersecurity practices against the requirements of CMMC. This CMMC self-assessment helps identify gaps and areas for improvement. NSF can work with you to address any of these areas.
2. Third-party CMMC audit: Once the self-assessment is complete, organizations must engage an authorized third-party assessment organization(C3PAO), such as NSF to evaluate their compliance with the CMMC requirements. This provides an objective evaluation of the organization's cybersecurity posture. If you are ready, talk to us now to book this in.
3. CMMC affirmation: Upon successful completion of the third-party CMMC assessment, organizations will receive their CMMC certification. This is valid for three years, after which organizations must undergo re-assessment to maintain their CMMC status. NSF will be able to offer this service. In addition, an annual affirmation is required to verify compliance with the 110 security requirements in NIST 800-171 Revision 2.

NSF-ISR is an authorized C3PAO. We are listed in the CyberAB Marketplace and we are ready to work with organizations of all sizes to achieve compliance. Benefits of choosing NSF include:

• Dedicated expertise you can trust. Our CMMC professionals include a certified CMMC Provisional Assessor, certified CMMC Registered Practitioner and certified CMMC Professional.
• Auditing know-how. Our assessors are fully qualified lead ISO/IEC 27001 and NIST 800-171 auditors.
• A trusted supplier of information and cyber security services, beyond CMMC. We also provide certification to ISO/IEC 27001 and NIST 800-171, whose frameworks were used as the core to develop CMMC, as well as to ISO/IEC 20000-1 and CSA STAR.
• Independently accredited. We are an ISO/IEC 17021 accredited certification body and NSF, is ISO/IEC 27001 certified.