What is CMMC? Who does it apply to? Why is it necessary? When does it become a requirement? How do you get started?

All good questions, ones that we will seek to answer below.

What is Cybersecurity Maturity Model Certification?

According to the Lockheed Martin website, CMMC is a new requirement for existing U.S. DoD contrators - "The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on contractor / subcontractor networks."

Who does it apply to?

Defense contractors and subcontractors, anyone who is working with the U.S. Department of Defense.

Why is it necessary?

The U.S. DoD answered this succinctly in their memorandum on understanding Cybersecurity Maturity Model Certification: "CMMC has, and will remain a priority for the Department, and will safeguard our enterprise against cyber theft losses that cost our Nation $100 billion annually, and $600 billion worldwide, equating to 1% of global GDP." 

When does it become a requirement?

Currently, the first version of the CMMC was released in January of 2020, with plans for Requests for Information to start in June of 2020, followed by Requests for Proposals to begin in September of 2020.   

References and Additional Resources:

Lockheed Martin:


United States Department of Defense:


CSO Magazine:


CMMC Accreditation Body or CMMC-AB


How do you get started with the certification process?

To learn more about Cybersecurity Maturity Model Certification (CMMC), and how the Smithers Quality Assessments Division can help, please reach out to us and we will be in contact with you shortly.

Learn more about Cybersecurity Maturity Model Certification (CMMC):

Contact us

Lead Consultant

Perseus Information 
Security Consulting

Tampa, FL



Download CMMC Guide


Latest Resources

See all resources