Cybersecurity Maturity Model Certification CMMC

IQC-The ISO Pros

In our time now, it’s not only the physical treasures we need to guard – we need to make sure that we’re keeping the digital and the virtual information we have safe and secure, too. Cybersecurity has been big – it actually has blown up in the past couple of years and it’s been due to a lot of things including the rise of popularity of the internet, the shift from the physical to the virtual age, and many more.

Even the government is in the works of inculcating technology as a part of its features and functionalities, too. This is the main and the actual reason why the Cybersecurity Maturity Model Certification (CMMC) has been put in place. Not sure what the CMMC is? Can’t have a full grasp or a full understanding of what this certification is?

What is the CMMC?

The CMMC, short for the Cybersecurity Maturity Model Certification, is the nationally-known standard for cybersecurity that the Department of Defense (DoD) has developed. It’s a process that would help in the certification process of contractors and suppliers of the DoD.

This new structure is effective and it has been since it’s able to guarantee the efficiency and the effectiveness of over 300,000 companies in the supplier list of the DoD. The framework is so new that its first version was only released in January of this year and it’s yet to be developed and finalized.

As a matter of fact, it has been in the process of redesigning and restructuring for almost half a decade and it just got finalized recently. Good news because we here at IQC – the ISO Professionals will be more than happy to help and to assist you on how you can get the certification for you to be able to work side-by-side with the DoD.


CMMC Timeline

The CMMC or the Cybersecurity Maturity Model Certification is the model that is structured specifically to help and aid suppliers and manufacturers who wish to work with the DoD and assist them with their projects. Here are some of the dates that you need to know about:


June 2020
Several DoD contractors have started seeing some changes in the requirements of the CMMC in the Request For Information (RFI) process. They’ll be notified and alerted about what these requirements are and they should be prepared for it.
September 2020
By this month, some DoD contractors must expect to see added requirements in the Request For Proposal (RFP) process. Before they’re able to send and secure a proposal, the requirements would be needed.
October 2020
Starting this date, contractors and suppliers of the DoD need to be duly certified by an accredited assessor or the C3PAO or the CMMC Third Party Assessment Organization. Before they get a contract signed, they’d need to be certified and verified.
. . .

Similar to the CMMI, the CMMC has a framework that is determined by five (5) different maturity levels, namely:

  1. Basic Cyber Hygiene
  2. Intermediate Cyber Hygiene
  3. Good Cyber Hygiene
  4. Proactive
  5. Advanced or Progressive

Each of these levels is built and based on the last level – where there should be some type of improvement for it. For instance, before getting into the next level, a DoD contractor or a manufacturer needs to polish and finish up the previous level before moving up.

Let us briefly discuss and talk about each of the levels.

Here at IQC – the ISO Professionals, we never want to confuse our clients. When we speak of “Basic Cyber Hygiene,” what we want our clients to understand that it’s as basic as it gets. It can include the provision of training to staff members in ensuring the security of accounts and software, the use of antivirus programs, and the like.

Straying from the level of Basic Cyber Hygiene, we’ll go to the next step – this is known as the level where the real CMMC begins. In this step, new data is to be introduced, and it includes Controlled Unclassified Information (CUI). In addition to that, this step requires organizations to have documentation largely based on NIST 800-171-r2 which consists of certain knowledge and skills.

After Intermediate Cyber Hygiene comes to Good Cyber Hygiene. This is the level or the phase where it gets advanced – and since in this level, most of the organizations working with the DoD would have set some things up, this is where it gets trickier. At this level, organizations and companies need to have at least 47 security controls in total – these are used to help out in the deduction of variation and options.

What we always promote here at IQC – the ISO Professionals is the virtue of proactivity, because in the 4th level of the CMMC comes proactivity. What this requires is that companies need to have the willingness to be proactive in detecting and identifying threats, measuring effectiveness and efficiency, as well as defeating and overcoming all types of threats that would present itself.

After the 47 controls, the CMMC adds another 30 security controls that need to be installed and integrated to achieve and to arrive at the 5th level. This is the advanced level of the CMMC where it talks about and discusses the response in the changing atmosphere of threats within a given situation or scenario.


Everything might sound new to you, especially if you’re just new in the industry. However, what we can guarantee with you here at IQC – the ISO Professionals is the fact that we will help you in understanding everything you need.

Even if we’ve been in the industry far too long, these are new sets and types of information and we wouldn’t be able to master it all at once – but with the help of our cybersecurity professionals and experts, as well as our auditors, you will never see or feel a shortage of the most crucial and the most relevant information you need.

Get the best type and kind of help you can have for the lowest and the most reasonable rate you can get! Call us now!

Locations-IQC ISO 9001 Standards Services, Implementation, Training, & Consulting
We operate nationwide without any type of restriction – wherever you are, you can feel free to contact us.
Click On the Map to Find the ISO Professionals Near You