CMMC is the U.S. Department of Defense’s (DoD) cybersecurity framework that ties an organization’s ability to win and keep defense contracts to its demonstrated cybersecurity maturity. As a Canadian-based CPA firm and ISO certification body, we help defence contractors and their supply chain partners understand, implement, and prepare for CMMC 2.0 requirements in a practical, audit-ready way.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a three-level framework designed by the DoD to protect two key types of information in the Defense Industrial Base (DIB): Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It builds on existing U.S. federal requirements (such as NIST SP 800‑171 and FAR 52.204‑21) and introduces a maturity model with clearly defined practices, processes, and assessment expectations.
CMMC 2.0 reduces the original five levels to three: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert), which align with the sensitivity of data handled and the sophistication of cyber threats they are meant to resist. The framework focuses on ensuring that defence contractors consistently apply appropriate safeguards across 14 cybersecurity domains, including access control, incident response, risk management, and system integrity.
CMMC applies to organizations in the Defense Industrial Base that process, store, or transmit FCI or CUI in connection with DoD contracts. This includes:
Prime contractors that contract directly with the DoD.
Subcontractors providing goods or services to primes.
Suppliers and service providers whose systems handle FCI or CUI as part of the defense supply chain.
Under CMMC 2.0, certification is required when a DoD solicitation or contract includes the CMMC clause (DFARS 252.204‑7021) and specifies a required level. Over time, the DoD plans for most contracts involving FCI or CUI to include CMMC requirements, making compliance a competitive necessity for defence suppliers.
If you are a Canadian or international organization supporting U.S. defense programs—directly or as a subcontractor—you may need to demonstrate CMMC-aligned controls to remain eligible for current and future work.
CMMC 2.0 defines three maturity levels, each building on the previous one in terms of the depth and rigour of cybersecurity practices
|
CMMC Level
|
Target data
|
Typical assessment type
|
Core requirements & focus
|
|---|---|---|---|
|
Level 1 – Foundational |
Federal Contract Information (FCI) only. |
Annual self‑assessment with executive affirmation in the Supplier Performance Risk System (SPRS). |
Basic cyber hygiene; implementation of a subset (15–17) of safeguards aligned with FAR 52.204‑21 to protect FCI. |
|
Level 2 – Advanced |
Controlled Unclassified Information (CUI). |
Either self‑assessment or independent third‑party assessment by a Certified Third‑Party Assessment Organization (C3PAO), depending on contract risk. |
Implementation of all 110 security requirements from NIST SP 800‑171, with documented, repeatable practices across 14 domains. |
|
Level 3 – Expert |
High‑value CUI and critical national security programs. |
Government‑led assessments (DoD assessment teams). |
Additional advanced controls on top of NIST SP 800‑171, informed by NIST SP 800‑172, focused on defending against sophisticated Advanced Persistent Threats (APTs). |
Level 1 focuses on basic safeguards such as limiting access to systems, protecting devices, and ensuring secure transmission of information. Level 2 formalizes and deepens cybersecurity practices with full implementation of NIST SP 800‑171 requirements—including access control, incident response, system and communications protection, configuration management, and more—supported by documented policies and procedures. Level 3 adds enhanced, threat‑focused controls and monitoring, aimed at organizations supporting the most sensitive defense programs.
As a CPA firm and ISO certification body with deep experience in cybersecurity, assurance, and management system standards, we provide end‑to‑end CMMC support tailored to defence contractors and supply‑chain partners.
Our CMMC-related services include:
CMMC readiness assessments
Structured gap assessments against CMMC Level 1, 2, or 3 requirements, including mapping to NIST SP 800‑171 and related controls.
Control design and implementation support
Practical guidance on implementing required technical and process controls, aligned with your existing ISO 27001, ISO 27701, and other cybersecurity frameworks.
System Security Plan (SSP) and POA&M development
Assistance drafting clear, audit‑ready SSPs and prioritized POA&Ms that support your CMMC self‑assessment and external audit.
Policy, procedure, and evidence development
Support in updating cybersecurity policies, standard operating procedures, and evidence packages to meet CMMC 2.0 expectations for documentation and repeatability.
Mock CMMC assessments / audit simulations
Independent, pre‑assessment activities that simulate a C3PAO or government assessment to identify residual gaps before formal review.
Integration with ISO and other frameworks
Mapping and harmonizing CMMC requirements with ISO 27001, SOC 2, and related standards to reduce duplication and leverage your existing controls.
While official CMMC certification assessments must ultimately be performed by accredited C3PAOs or DoD assessment teams (for Level 3), advisory and readiness support are crucial to passing those assessments efficiently and effectively.
Achieving and maintaining CMMC compliance is an ongoing lifecycle rather than a one‑time event. A typical journey includes:
Determine required level
Identify whether your contracts involve FCI, CUI, or high‑value CUI and confirm which CMMC level is specified in current or targeted solicitations.
Perform a gap analysis / self‑assessment
Map your existing controls against the required level (for most organizations, NIST SP 800‑171 for Level 2) to identify control gaps and process weaknesses.
Develop a System Security Plan (SSP) and POA&M
Document how your environment is designed and controlled in an SSP, and create a Plan of Action and Milestones (POA&M) to remediate identified deficiencies in priority order.
Remediate and implement controls
Implement missing technical, administrative, and physical controls, update policies and procedures, and ensure staff are trained and aware of their responsibilities.
Pre‑assessment / readiness review
Conduct a readiness review or mock assessment to validate evidence, refine scope, and confirm you are prepared for a formal self‑assessment or C3PAO/government assessment.
Formal CMMC assessment and attestation
Complete the required self‑assessment, C3PAO assessment (for most Level 2 environments), or government‑led assessment (Level 3), and submit required scores and affirmations into the DoD’s systems (e.g., SPRS).
Continuous monitoring and improvement
Maintain controls, address new risks, and refresh assessments on the required cycle (typically annually for self‑assessments and every three years for third‑party or government assessments).
Working with a firm that understands both assurance and cybersecurity frameworks helps you bridge the gap between technical security controls and formal audit expectations.
You benefit from:
Expertise in control design, testing, and documentation from an audit perspective.
Practical alignment of CMMC with ISO standards and SOC reporting to avoid redundant work.
A risk‑based approach that focuses time and investment on controls that most impact your security posture and CMMC score.