How Divorce Attorneys Can Leverage a Financial Advisor | Free Webinar

CMMC Certification for Government Contractors

By: Daniel Larson

If your government contracting business doesn’t have its CMMC certification, you could be ineligible for future contracts — causing a hard hit to your revenue stream.

With all eyes on cyber security these days, CMMC compliance is a critical issue that government contractors need to tackle. With CMMC compliance being required by many contracts, now is the time for government contractors to work toward the certification.

Bill Walter from our Technology Solutions Group teamed up with one of the nation’s top cyber security compliance experts, Steve Rutkovitz of Choice Cybersecurity, to present a webinar on the CMMC certification. In the webinar they offered government contractors clarity around the CMMC certification process and timeline, and explained how to prepare for CMMC compliance.

You can watch the full webinar here:



There’s still a good bit of confusion around CMMC, so let’s look at a few need-to-know points covered by the webinar.

What Is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. CMMC is a federal compliance and is being implemented by the Department of Defense. The DoD identified the biggest area of risk to be around the supply chain. The idea is that everyone who does business with each other has to start protecting each other.

Prior to CMMC being implemented, DoD contractors were asked to complete the NIST 800-171 checklist. However, this was only a recommended best practice and not a requirement. Many government contractors didn’t do it, so the DoD created a compliance to make it mandatory to have certain cyber security measures in place in order to do business.

Who Must Have the CMMC Certification?

All businesses with DoD contracts must have be CMMC-compliant in order to be eligible for 2022 contracts. In addition, any business that is part of the supply chain associated with a DoD contract must also apply. Many government contractors fall into this supply chain category.

How Long Does It Take to Get the Certification?

It takes approximately six months to get the CMMC qualification.

As a side note, we polled our webinar attendees to see where they stand with CMMC compliance, and 75% of them said they haven’t started the process yet.

Are There Different Levels of CMMC Compliance?

Yes! There are five levels of CMMC compliance. You need to know where your government contracting business falls. Most fall under Level 3.

Steve Rutkovitz offered this example of a government contracting business that needs Level 3 compliance: say you have a landscaping company that maintains the White House grounds. Your business has White House blueprints. While the blueprints aren’t labeled top secret, they are marked by the DoD as “controlled unclassified information,” known as CUI.

The following table shows what the different levels of CMMC compliance entail:


Levels of CMMC Compliance

What Should Government Contractors Do As They Work Toward CMMC Compliance?

While the webinar offers a great deal of detail on the steps for implementing CMMC, there are three broad stages to be aware of as you work toward compliance.


Three Phases of CMMC


NIST 800-171 is an interim rule before CMMC is fully implemented. You should have already submitted your NIST 800-171, score and POAM (Plan of Action & Milestones) to the DoD.

Many prime contractors are asking subcontractors to prove that they are CMMC compliant. While there is no standard or formal process that primes are using to request proof of CMMC compliance, you need to be prepared to show proof when asked.

The third segment is the actual CMMC compliance audit.

How Should Government Contractors Prepare for the CMMC Audit?

As the diagram below shows, government contractors should first go through an assessment with a CMMC Third-Party Assessor Organization, also known as a C3PAO. The assessment will evaluate how “audit-ready” your business is. Most importantly, it will reveal any holes that need to be filled before going through the audit.

You can schedule a free one-hour assessment of your CMMC position to see where your business stands with audit readiness.

The remediation phase is where those holes are filled. During this phase, you’ll likely work with a cyber security expert to adopt measures that make your business more secure and ready to pass the audit.

From there, your business should undergo a mock audit to ensure that all the right controls and documentation are in place. Then, you’ll go through the full CMMC audit, hopefully resulting in your CMMC certification.


CMMC Certification Process


Funding Available for Maryland Government Contractors

It’s worth mentioning that certain Maryland-based government contractors are eligible for a grant as they pursue cyber security compliance. You can read about the grant here.

Need Help?

Contact us online or call 800.899.4623.

Published June 21, 2021

Free CMMC Assessment

Get your government contracting business audit-ready

Bill Walter

Virginia Issues Guidelines to Retroactively File 2021 Pass-Through Entity Tax Returns

Virginia’s Department of Taxation has issued long-awaited guidance on pass-through entity tax returns. Here’s what the...

Do Your Due Diligence Before Buying a Business

Frankly, it was a disaster that could have been avoided. “Stan” the buyer was hell bent on making the purchase, the...