CMMC Standard and Certification

The Cybersecurity Maturity Model Certification (CMMC) establishes a standardised approach for implementing and evaluating cybersecurity measures throughout the Defence Industrial Base (DIB).
Its main goal is to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring contractors and their supply chains to follow recognised security practices. CMMC features multiple certification levels and independent assessments to confirm that security controls are matched to the sensitivity of the information managed.

Receive a quote tailored to your needs

+44 (0) 800 052 2424 Contact us Get a quote

What is CMMC?

CMMC represents a significant advancement over previous cybersecurity requirements for defence contractors. Earlier frameworks relied primarily on self-attestation, where organisations declared their own compliance. In contrast, CMMC introduces independent, third-party verification and a structured maturity model.

This ensures that cybersecurity practices are not only implemented but are also appropriate to the risk profile of the work being performed. CMMC consolidates recognised standards, such as NIST SP 800-171, into a single, practical framework tailored for the Defence Industrial Base (DIB).

 

Primary objectives of CMMC include:

  • Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from unauthorised access or loss.
  • Establishing a baseline of cyber hygiene across all contractors and relevant subcontractors.
  • Aligning the entire supply chain to consistent, auditable cybersecurity practices, ensuring a unified and reliable approach to information security.

 

Why Choose Kiwa?

Kiwa is a globally recognised, independent TIC partner with deep expertise in cybersecurity, compliance, and management systems. The organisation’s impartial approach ensures objective assessments and practical recommendations tailored to each client’s needs.

Kiwa’s specialists provide comprehensive support throughout the CMMC preparation process — from readiness assessments and gap analyses to implementation guidance and internal audit preparation. By leveraging international best practices and a thorough understanding of regulatory requirements, Kiwa helps organisations align with the appropriate CMMC level and coordinate effective remediation.

The focus remains on transparency, practical solutions, and sustainable improvement, supporting clients in building trust with stakeholders and achieving long-term compliance goals.

CMMC Levels

Level 1 – Basic Cyber Hygiene

Focuses on protecting Federal Contract Information (FCI) by implementing 17 foundational cybersecurity practices. These controls include anti-malware measures, secure media disposal, and basic access safeguards. At this level, organisations must demonstrate that these practices are performed, but extensive process documentation is not required.

Level 2 – Intermediate Cyber Hygiene

Bridges the gap towards protecting Controlled Unclassified Information (CUI) with 72 practices, including all Level 1 controls plus additional requirements. This level requires documented policies and procedures, covering a broader range of cybersecurity activities and aligning with a subset of NIST SP 800-171 controls.

Level 3 – Good Cyber Hygiene

Aims to protect CUI through managed and resourced cybersecurity plans. Organisations must implement 130 practices, encompassing the full set of NIST SP 800-171 controls and additional requirements. This level emphasises incident response, media handling, and process maturity, with planning and oversight in place.

Level 4 – Proactive

Designed to detect and respond to advanced threats, this level requires 156 practices, including all previous controls and selected practices from Draft NIST SP 800-171B. Organisations must demonstrate targeted training, threat scenario exercises, and enhanced monitoring, with continuous measurement of effectiveness.

Level 5 – Advanced / Optimising

Focuses on enterprise-wide optimisation and adaptive defence, requiring 171 practices. This level features standardised processes, ongoing improvement, and sophisticated protections for CUI, ensuring the highest level of cybersecurity maturity and resilience.

The certification process with Kiwa

    Gap Analysis & Planning

    Current cybersecurity controls are reviewed and mapped to the required CMMC level. This step results in a prioritised improvement plan tailored to the organisation’s needs.

    Implementation Support

    Guidance is provided on developing and implementing policies, technical safeguards, staff training, and evidence collection to address identified gaps and strengthen security practices.

    Pre-assessment

    A readiness check is conducted against CMMC criteria, simulating the official audit. This helps identify and resolve any remaining issues before the formal assessment.

    Independent Assessment

    Coordination with an authorised CMMC Third-Party Assessment Organisation (C3PAO) ensures a smooth and thorough certification audit process.

    Ongoing Support

    After certification, support is available for continual improvement and preparation for future recertification, helping organisations maintain compliance as requirements evolve.

Benefits of the Service

Eligibility for MoD and DoD opportunities

Meet contractual requirements and compete confidently across the Defence Industrial Base.

Unified, auditable security

Consolidate multiple standards into a coherent, assessed framework.

Better threat readiness

Improve detection and response — especially at higher maturity levels.

Supply Chain confidence

Demonstrate trustworthy handling of FCI and CUI to primes and partners

Business resilience and credibility

Reduce breach risk, protect intellectual property, and enhance stakeholder confidence.

Frequent Q&A

Who must obtain CMMC certification?

Any organisation within the Defence Industrial Base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is required to comply with CMMC. This includes all prime contractors and subcontractors involved in Department of Defence contracts, regardless of their tier.

Are all suppliers required to achieve the same CMMC level?

No. The required CMMC level varies based on the sensitivity of the information handled and the specific requirements of each contract. Organisations must meet the level that aligns with the type of data they access and the obligations set by the Department of Defence.

Does CMMC replace NIST SP 800-171?

CMMC does not replace NIST SP 800-171 but incorporates and expands upon its requirements at relevant levels. It adds process maturity and requires independent assessments to ensure that cybersecurity practices are consistently applied and maintained.

How often must CMMC certification be renewed?

CMMC certification is valid for a set period and must be renewed periodically. Organisations should plan for ongoing maintenance and regular evidence collection to remain compliant between assessments and ensure continuous protection of sensitive information.

Related Services