Cybersecurity Maturity Model Certification (CMMC)
CMMC is essential for businesses seeking to participate in DoD contracts, ensuring that they are capable of protecting United States national defense information and defending against cyber threats and maintaining the highest standards of information security.​​
By achieving CMMC, companies not only comply with DoD requirements but also demonstrate their commitment to national security, maintaining the integrity of the supply chain, and protecting our war fighters.
CMMC History
2010​
Executive Order (EO) 13556, "Controlled Unclassified Information" (CUI) program established.
2023​​
CMMC 2.0 published in the Federal Register as a proposed rule​
2024​​​
CMMC 2.0 (Title 32 CFR) effective December 16th 2024
NIST published the final versions of NIST SP 800-171 rev. 3 in May
DoD class deviation to DFARS 252.204-7012 in May
2021​
CMMC 2.0 Framework proposed
-
Reduced maturity levels from five to three
-
Added limited POAMs with up to 180 days to resolve
-
​Added self-attestation from senior official for Level 1
-
Added controls from NIST SP 800-172 for Level 3
2020​
CMMC 1.0 Framework ​
DFARS 252.204-7019 – Self Assessment and Report in SPRS ​
DFARS 252.204-7020 – Available for DIBCAP Audit ​
DFARS 252.204-7021 – CMMC Certification ​
2017​
Defense Industrial Base (DIB) contractors required to implement NIST SP 800-171r2 cybersecurity program to protect sensitive controlled-unclassified-information (CUI).
2015​
NIST SP 800-171​ published to provide Defense Industrial Base (DIB) contractors with recommended requirements for protecting the confidentiality of CUI and the processing, storing, or transmitting of CUI.
2016​
DFARS 252.204-7012​ – Defense Industrial Base (DIB) contractors became responsible for instituting their own cybersecurity safeguards in accordance with NIST SP 800-171, monitoring their compliance, and self-certifying. DIB contractors were given until December of 2017 to comply.
2025​
CMMC 2.0 Title 48 expected to be published in Q2 2025.
Once published in the Federal Register, the rule will be effective 60 days later, making the CMMC Program available for use by the DoD.
CMMC 2.0
The CMMC 2.0 model has been streamlined to three levels, aligning its requirements with the NIST SP 800-171 and NIST SP 800-172 standards.
​
The assessment process has been revised, with limited use of Plans of Action and Milestones (POA&Ms) and time-bound waivers requiring senior DoD approval.
Level 1 DIB contractors are allowed to self-assess their cybersecurity programs and provide an attestation to the DoD.
Most Level 2 and all Level 3 DIB contractors are required to obtain a third party assessment of their cybersecurity program.
Our Proven CMMC Process
Click each part of the process to learn more!
Projects: We create discrete projects from the POA&M, linking each item to one or more projects so you can see what work must be accomplished to achieve CMMC compliance.
AXIOTROP will work with your team to:
-
Create a project portfolio detailing project objectives, potential technology solutions, estimated labor time and costs, and all impacted CMMC controls.
-
Create a prioritized technology implementation plan, and high-level overview (roadmap) to CMMC Level 2 certification.
Discovery: Identify key data, business processes, and technology. CMMC is about protecting data! Understanding which data to protect, how it flows in, is stored, used and flows out is critical to right-sizing your cybersecurity plan.
​
AXIOTROP will work with your team to:
-
Develop a high-level data flow diagram.
-
Implement a CMMC compliance platform to provide leadership with oversight and governance of all CMMC related activities in one place.
Risk Management: CMMC compliance is a journey not a destination. As the organization grows, business processes and technologies change, items will be uncovered that need to be added to the POA&M to close gaps. The Risk Management process assures continuous improvement and CMMC compliance.
AXIOTROP will work with your team to:
-
Schedule and hold Risk Management meetings to identify and document continuous improvement efforts.
-
Risk Management meetings also provide evidence of compliance work and process maturity.
-
Test the Incident Response Plan.
-
Create commitment matrix with daily, weekly, monthly cadence.
Validation: Prepare for the upcoming CMMC third party assessment. Our compliance software (Future Feed) tracks your requirements, documented SSP, and objective compliance evidence to put your assessor at ease right from the start.
AXIOTROP will work with your team to:
-
Collect and store evidence of cybersecurity maturity in Future Feed to demonstrate CMMC compliance.
-
Select a C3PAO through a vendor agnostic analysis.
-
Complete the C3PAO assessment process. Working side-by-side with your team to meet the assessors’ requirements as efficiently as possible to reduce time and cost to your organization.
CMP Assessment: Our CMMC SMEs will assess the Cybersecurity Maturity Posture of your organization. The CMPA will be based on the NIST SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
AXIOTROP will work with your team to:
-
Assess your organization on all NIST 171 controls and objectives.
-
Develop an updated network map, a list of all technology tools and services, a list of application vulnerabilities, and a detailed data flow diagram.
-
Create a detailed Plan of Action and Milestones (POA&M). ​
Remediation: We guide you through the prioritized technology implementation plan. Our scalable remediation approach allows you to move forward at the expense and time commitment rate that matches your needs.
AXIOTROP will work with your team to:
-
Develop a training plan to increase CMMC awareness.
-
Select the technology solutions for each project through a vendor agnostic analysis.
-
Implement technology upgrades and security controls in accordance with the project plans.
-
Document your system security plan (SSP) including policies, plans, procedures, and lists.
AXIOTROP Webinars
AXIOTROP has had the opportunity to participate in these insightful webinars, providing valuable knowledge and engaging with industry experts. Explore the webinars and discover key takeaways that will support your CMMC journey!
See below for a list of episodes in a webinar series dedicated to CMMC education.
Hosted by RIMA, featuring AXIOTROP
