All services

Cybersecurity Maturity Model Certification

CMMC Assessments

Authorized C3PAO-led CMMC Level 2 assessments that identify maturity gaps and deliver board-ready certification roadmaps.

CMMC Assessments

Definition

What is CMMC Assessments?

CMMC (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense's program requiring contractors and subcontractors in the Defense Industrial Base (DIB) to demonstrate cybersecurity maturity before handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). A CMMC Level 2 certification is performed by a Cyber AB authorized C3PAO (Certified Third-Party Assessor Organization) and is valid for three years.

Overview

How we approach it

As an authorized C3PAO, we conduct formal CMMC Level 2 assessments against the 110 NIST SP 800-171 security requirements.

Every requirement is scored MET, NOT MET or N/A, with evidence packaged for DoD submission.

We deliver the certification, the Plan of Action & Milestones (POA&M) for any allowable gaps, and an executive briefing.

What we do

Scope of the engagement

Scoping & asset categorization

Define CUI, Security Protection and Contractor Risk Managed Assets per DoD scoping guidance.

On-site / virtual assessment

Evidence review, interviews and control testing against all 110 SP 800-171 requirements.

Scoring & POA&M

Formal scoring, identification of allowable POA&M items and remediation guidance.

Certification & submission

Final report, SPRS submission support and three-year certification.

Outcomes

What you walk away with

  • CMMC Level 2 certification valid for three years
  • DoD-ready scored evidence package
  • Clear POA&M for any conditional items

FAQ

Common questions

Who needs CMMC?

Any DoD prime or subcontractor handling FCI (Level 1) or CUI (Level 2 or 3).

How long is certification valid?

Three years, with an annual affirmation by a senior official.

Ready to scope a cmmc assessments engagement?

Talk to an advisor