To some degree or another, those involved in cybersecurity activities associated with work for the United States federal government have heard of the term “CMMC”. But what exactly is it?  It is an acronym for “Cybersecurity Maturity Model Certification”.

To provide a brief historical background into this, between 2016 and 2020, the overall economy lost well over $60 to$109 Billion due to cyberattacks alone.

A big chunk of this was targeted towards the federal Government, in which Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) datasets were most at risk.  Essentially, these are data sets that the Department of Defense (DoD) shares with external organizations in order to facilitate the completion of contracts.

Due to the sheer gravity of the aforementioned financial loss, the DoD has dramatically ratcheted up the security requirements for these external organizations.  In other words, they now have to become compliant (by becoming certified) with the statutes and provisions of CMMC before they will be awarded or can bid on any kind or type of work.

It is crucial to keep in mind that this is still an evolving process, and there are many questions that still need to be answered.  Perhaps one of the most frequently asked is, “Who needs to attain the CMMC Certification?”.  We explore this in more detail in this article.

Who Needs It?

Long story short, any business entity that currently does work for the DoD (and soon the federal government on non-defense contracts) must achieve this level of certification in order to prove that they have the appropriate set of controls in place to safeguard both CUI and FCI datasets.  Typically, this will apply to all organizations classified as a defense contractor.  CMMC states that not only a prime contractor, but also any subcontractor under that prime must also be CMMC certified as well.

For example, suppose defense contractor XYZ manufactures braking components for the F-18 fighter jet. In that case, subcontractor ABC that develops the brake fluid for this and other needed lubricants will also need to become CMMC certified.  All of these defense contractors and their associated subcontractors are collectively known as the defense industrial base (DIB).

Overall, it is estimated that the DIB consists of at least 300,000 companies. To bid on any future work, both the prime contractor and subcontractors must at least, for right now, achieve   Level 1 certification and then work up to Level 3 certification.

It should be noted there are overall five distinct maturity levels, and at present, the DoD requires Level 3 certification for contracts handling CUI.  At present, these are the defense and related industries in which companies must be CMMC certified:

  • Critical Infrastructure
  • The Defense Group
  • Export/Import
  • The Financial Sector (this even includes the accounting companies that keeps the books for the Defense Contractors)
  • Immigration (especially when it comes to hiring workers whose nationality/citizenship is not United States-based)
  • The Intelligence Community
  • Legal and Law Enforcement entities
  • Agricultural Industries
  • International military organizations (such as that of NATO)
  • Nuclear Facilities
  • Data Privacy companies
  • Supply Chain and Logistics (especially those that deal with the procurement and distribution of any type or kind of raw materials)
  • Any mathematical or statistical Consulting Firms that provide information and data modeling capabilities to the Defense Contractors

It is important to note that CMMC Model v1.0 came out in January of 2020. By 2026, the DoD will require that all defense contractors and their related subcontractors must come not only to be CMMC certified but also maintain their compliance status through various audits and assessments that can take place, and they will not be able to bid on RFP’s unless they have achieved the certification of the RFP.


CMMC is still unknown to many businesses, and it is estimated that 58% of the DIB have not even taken any action on becoming certified yet. Don’t be one of those laggards; contact KAMIND IT today to help you stay ahead of the curve.


Guide to the CMMC Standard & Certification | NQA