CMMC – Win and retain government contracts

by | Sep 14, 2020 | Compliance, CMMC

Under the new CMMC mandate by the US Department of Defense (DoD), all contractors within the DoD supply chain must be CMMC certified. Failure to achieve and maintain CMMC certification will impact your organization’s ability to work on future contracts and may place your current DoD contracts at risk for non-compliance.


As of January 2020, the US Department of Defense has improved the DFARS / CUI protection mandate to the Cybersecurity Maturity Model Certification (CMMC), which now includes a 3rd party verification component.

Every federal contractor that stores, processes, or transmits Controlled Unclassified Information (CUI) and now Federal Contract Information (FCI) or Covered Defense Information (CDI) is required to achieve and maintain CMMC compliance without exception. The CMMC requirement also includes subcontractors and any organization within the DoD supply chain that share in the use of CUI, FCI, and/or CDI information.

Starting in the fall of 2020, all new DoD solicitations will require entities to be at a certain CMMC maturity level to even bid on opportunities. While the CMMC board is finalizing the certification processes, there is no reason to wait to prepare for this inevitable certification requirement. In addition to impacting your ability to bid on DoD opportunities, you may also experience delays in achieving certification as there will be a limited number of companies approved to perform audits and certifications.

As CMMC is an upgraded requirement that is built on CUI, Duffy Compliance provides efficient and cost-effective solutions to achieve CMMC compliance. We provide full lifecycle support for CMMC, including analysis of the current state of your organization and what is needed to achieve CMMC compliance, remediation of gaps to achieving certification, and post certification upkeep.


COMPLIANCY: Being CMMC compliant allows your organization to bid on more DoD opportunities and ensures that you are compliant and not putting current government contracts at risk.

RELIABILITY: Your organization is determined to be a reliable government contractor for the proper protection of your organization’s handling of DoD information by demonstrating your ability to meet and maintain CMMC requirements.

SELF AWARENESS: You are more aware of your own security posture and have plans to keep it protected… and continue to be a compliant contractor.

WORK WITH PRIME CONTRACTORS: Being CMMC compliant means more business opportunities! You can work with prime contractors on CMMC bids and projects because they will be able to use your services as a CMMC compliant organization.

ADVANTAGE OVER COMPETITORS:  When prime contractors are choosing which subcontractors to work with, your being CMMC compliant gives you an advantage over other competitors who are not compliant.

CMMC Levels and Associated Focus ChartTHE 5 LEVELS OF CMMC COMPLIANCE

LEVEL 1 is a basic set of security safeguards. Every company should follow these 17 practices, which are part of the safeguard required in DFAR Clause 252.205-7012. Therefore, they are required for contractors to respond to non-public proposals containing Federal Contract Information (FCI) and Covered Defense Information (CDI). This level should be relatively easy to implement.

LEVEL 2 builds on the safeguards in Level 1 and includes the initial protection of Controlled Unclassified Information (CUI). It requires documentation of security polices for all 17 domains within CMMC. This level is considered a transition to Level 3.

LEVEL 3 builds on Levels 1 & 2 and now includes all the safeguards requirements from NIST SP 800-171 as well as 30 additional practices. Level 3 also requires the organization to show that all 17 Domains within CMMC are managed through a System Security Plan (SSP) and Plan of Actions (POA).

LEVEL 4 continues to build on the lower processes by adding options that reduce the risk of Advanced Persistent Threats (APTs). Organizations are required to regularly review and measure their practices to determine their effectiveness. This level also includes more enhanced security requirements from NIST SP 800-171B.

LEVEL 5 continues the process even further with optimizing the security processes and practices across all applicable components in the organization. Level 5 is dedicated to protecting CUI from APTs. Additional enhanced security requirements beyond NIST SP 800-171B are also included.


We bring decades of experience assisting organizations in implementing NIST security controls and best practices. Duffy Compliance Services was one of the first and most experienced compliance firms assisting organizations to achieve CUI compliance. We are also in the process of becoming a C3PAO (Certified 3rd Party Accredited Organization).

We understand system security risk and how it affects system architecture. Our enterprise-level experience allows us to tailor solutions to your organization’s unique set of requirements that get you compliant with minimal operational disruption.

We also have a deep understanding of the environments, challenges, and needs of small-to-mid-size businesses. We approach all client projects from a sensible security perspective. We know you don’t have deep pockets for achieving compliance. We offer cost sensitive solutions that are right sized for your organization and cost-effective technical solutions including cloud-based, SaaS services, and a certified VDI solution to provide a turn-key CMMC ML3 solution that is deployed without delay.

Start the CMMC Certification Process Now

Whether new to CMMC or transitioning from CUI to CMMC, allow Duffy Compliance Services to give you peace of mind knowing that your compliance efforts are being professionally handled with your business objectives and outcomes in mind.

Call 301-865-0345 today to book your no-obligation, 15-minute CMMC compliance consultation with one of our Compliance Information Specialists or visit to learn more.

This conversation will help you understand exactly what is needed to avoid problems with these new regulations. A few minutes now could ensure your ability to continue as a Federal contractor.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.