Legal consultation with client and lawyer discussing documents, with gavel on the desk

CMMC Standard and Certification

The Cybersecurity Maturity Model Certification (CMMC) establishes a standardized approach for implementing and evaluating cybersecurity measures throughout the Defense Industrial Base (DIB). Its main goal is to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring contractors and their supply chains to follow recognized security practices. CMMC features multiple certification levels and independent assessments to confirm that security controls are matched to the sensitivity of the information managed.

Receive a quote tailored to your needs

+44 (0) 800 052 2424 Contact us Get a quote

What is CMMC?

CMMC represents a significant advancement over previous cybersecurity requirements for defense contractors. Earlier frameworks relied primarily on self-attestation, where organizations declared their own compliance. In contrast, CMMC introduces independent, third-party verification and a structured maturity model.

This ensures that cybersecurity practices are not only implemented but are also appropriate to the risk profile of the work being performed. CMMC consolidates recognized standards, such as NIST SP 800-171, into a single, practical framework tailored for the Defense Industrial Base (DIB).

 

Primary objectives of CMMC include: 

  • Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from unauthorized access or loss.
  • Establishing a baseline of cyber hygiene across all contractors and relevant subcontractors. 
  • Aligning the entire supply chain to consistent, auditable cybersecurity practices, ensuring a unified and reliable approach to information security.

 

CMMC Accreditation Body (Cyber AB): 

Independent assessments are conducted by C3PAOs (Certified Third-Party Assessment Organizations) under the Cyber AB (formerly CMMC-AB). Certification must be renewed periodically to maintain compliance.

 

Why Choose Kiwa?

Kiwa is a globally recognized, independent TIC partner with deep expertise in cybersecurity, compliance, and management systems. The organization’s impartial approach ensures objective assessments and practical recommendations tailored to each client’s needs.

Kiwa’s specialists provide comprehensive support throughout the CMMC preparation process, from readiness assessments and gap analyses to implementation guidance and internal audit preparation. By leveraging international best practices and a thorough understanding of regulatory requirements, Kiwa helps organizations align with the appropriate CMMC level and coordinate effective remediation.

The focus remains on transparency, practical solutions, and sustainable improvement, supporting clients in building trust with stakeholders and achieving long-term compliance goals.

CMMC Levels

Level 1 – Basic Cyber Hygiene

Focuses on protecting Federal Contract Information (FCI) by implementing 17 foundational cybersecurity practices. These controls include anti-malware measures, secure media disposal, and basic access safeguards. At this level, organizations must demonstrate that these practices are performed, but extensive process documentation is not required.

Level 2 – Intermediate Cyber Hygiene

Bridges the gap toward protecting Controlled Unclassified Information (CUI) with 72 practices, including all Level 1 controls plus additional requirements. This level requires documented policies and procedures, covering a broader range of cybersecurity activities and aligning with a subset of NIST SP 800-171 controls.

Level 3 – Good Cyber Hygiene

Aims to protect CUI through managed and resourced cybersecurity plans. Organizations must implement 130 practices, encompassing the full set of NIST SP 800-171 controls and additional requirements. This level emphasizes incident response, media handling, and process maturity, with planning and oversight in place.

Level 4 – Proactive

Designed to detect and respond to advanced threats, this level requires 156 practices, including all previous controls and selected practices from Draft NIST SP 800-171B. Organizations must demonstrate targeted training, threat scenario exercises, and enhanced monitoring, with continuous measurement of effectiveness.

Level 5 – Advanced/Optimizing

Focuses on enterprise-wide optimization and adaptive defense, requiring 171 practices. This level features standardized processes, ongoing improvement, and sophisticated protections for CUI, ensuring the highest level of cybersecurity maturity and resilience

The certification process with Kiwa

    Gap Analysis & Planning

    Current cybersecurity controls are reviewed and mapped to the required CMMC level. This step results in a prioritized improvement plan tailored to the organization’s needs.

    Implementation Support

    Guidance is provided on developing and implementing policies, technical safeguards, staff training, and evidence collection to address identified gaps and strengthen security practices.

    Pre-Assessment

    A readiness check is conducted against CMMC criteria, simulating the official audit. This helps identify and resolve any remaining issues before the formal assessment.

    Independent Assessment

    Coordination with an authorized CMMC Third-Party Assessment Organization (C3PAO) ensures a smooth and thorough certification audit process.

    Ongoing Support

    After certification, support is available for continual improvement and preparation for future recertification, helping organizations maintain compliance as requirements evolve.  

Benefits of the Service

Eligibility for MoD and DoD opportunities

Meet contractual requirements and compete confidently across the DIB.

Unified, auditable security

Consolidate multiple standards into a coherent, assessed framework.

Better threat readiness

Improve detection and response — especially at higher maturity levels.

Supply-chain confidence

Demonstrate trustworthy handling of FCI/CUI to primes and partners.

Business resilience and credibility

Reduce breach risk, protect IP, and enhance stakeholder confidence.

Frequent Q&A

Who must obtain CMMC certification?

Any organization within the Defense Industrial Base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is required to comply with CMMC. This includes all prime contractors and subcontractors involved in Department of Defense contracts, regardless of their tier.

Are all suppliers required to achieve the same CMMC level?

No, the required CMMC level varies based on the sensitivity of the information handled and the specific requirements of each contract. Organizations must meet the level that aligns with the type of data they access and the obligations set by the Department of Defense.

Does CMMC replace NIST SP 800-171?

CMMC does not replace NIST SP 800-171 but incorporates and expands upon its requirements at relevant levels. It adds process maturity and requires independent assessments to ensure that cybersecurity practices are consistently applied and maintained.

How often must CMMC certification be renewed?

CMMC certification is valid for a set period and must be renewed periodically. Organizations should plan for ongoing maintenance and regular evidence collection to remain compliant between assessments and ensure continuous protection of sensitive information.

Related Services