Security & Compliance

CMMC: An Introduction to the Cyber Maturity Model Certification

What is the CMMC?

The CMMC is a new government standard that combines various cybersecurity standards and best practices to a grading scale of maturity in which the assessed is compared. The CMMC is born out of a relationship for a standard security model for government entities such as the DoD and created by Carnegie Mellon University and Johns Hopkins University Applied Physics Laboratory, LLC. The CMMC contains five levels (L1-L5) with L5 being the most stringent, incorporating popular standards such as:

  • FAR Clause 52.204-21
  • NIST SP 800-171 Rev 1
  • Draft NIST SP 800-171B
  • CIS Controls v7.1
  • NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
  • CERT Resilience Management Model (CERT RMM) v1.2
  • NIST SP 800-53 Rev 4
  • Others such asUK NCSC Cyber Essentials, or AU ACSC Essential Eight
The standard contains 171 cybersecurity best practices across the maturity levels. The range of levels may be defined as such:
Level 1: Basic safeguarding of client data
Level 2: Intermediate implemented safeguards in place
Level 3: Good broad protection of Controlled Unclassified Information (CUI)
Level 4: Proactive Reduction of Risk from Advanced Persistent Threats
Level 5: Advanced Reduction of Persistent Threats/Progressive Security

Incorporation of these business practices into your information security governance model will assist in securing your environment and compliance with the standard.


As the standard is implemented it retains a hierarchical system in which all compliance objectives for Level 1 compliance must be attained and be built upon for Level 2 compliance. Additional information on the CMMC model may be found here.

What is audited with CMMC?

CMMC works much like a NIST standard wherein 17 domains of controls and procedures are audited to an established standard. These areas include:

Access Control (AC)Asset Management (AM)Audit and Accountability (AU)
Awareness and Training (AT)Configuration Management (CM)Identification and Authentication (IA)
Incident Response (IR)Maintenance (MA)Media Protection (MP)
Personnel Security (PS)Physical Protection (PE)Recovery (RE)
Risk Management (RM)Security Assessment (CA)Situational Awareness (SA)
System and Communications Protection (SC)System and Information Integrity (SI) 

Each domain area is audited against an established standard to achieve a level (L1-L5) of compliance with the CMMC standard. Audits performed against these criteria per the maturity model are listed using the convention [DOMAIN].[LEVEL].[PRACTICE NUMBER] where:

  • DOMAIN is the two-letter domain abbreviation;
  • LEVEL is the level number; and
  • PRACTICE NUMBER is the identifier assigned to that practice.

The focus of the CMMC standard is to audit processes and procedures in place for the protection of data in transit and at rest of information security systems. Systems in scope may include company secrets, client databases and any other information that may be classified or otherwise not public facing for the infrastructure of your business.

Why is the CMMC useful?

The CMMC is a gauge for an organization the auditing of their processes and procedures along with appropriate supporting evidence to expose areas of improvement within their infrastructure. Practices and processes may be improved, changed, or removed from corporate policies and practices as they may not align with the entity’s overall information security stratagem. Congruence with the CMMC may prove to your government-contracted client that your business has been audited against their standards and is actively making improvements to the governance model of your business.

According to Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, (A) CMMC standards will begin populating RFPs for DoD contractors by the fall of this year with a full rollout expected to be complete within 5 years. Compliance with the standard will ensure a leading edge in the selection process to become a DoD contractor.

Why MegaplanIT?

MegaplanIT Holdings, LLC provides a trusted advisory and assistance at a pace convenient to continue business as usual. Our business processes, tools, and technical expertise will ensure that the audit process is expedient and cost-effective as to eliminate downtime and resource requests. MegaplanIT is involved in several audits also found within the CMMC model including but not limited to:

  • NIST 800-171
  • NIST 800-53
  • NIST Cyber Security Framework
  • PA-DSS
  • ISO 17020
  • ISO 27001-27002

If you would like to learn more about the Cyber Maturity Model Certification (CMMC) and how MegaplanIT can assist you,

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Setup a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts


Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business