As of January, 2020, the federal government has moved to an improved version of CUI called the Cybersecurity Maturity Model Certification (CMMC), which now includes a verification component.
What is CMMC (Cybersecurity Maturity Model Certification)?
Every federal contractor that stores, processes, or transmits Federal Contract Information (FCI) or Covered Defense Information (CDI) is considered a covered entity and therefore required to adhere to the CMMC regulation. This requirement also includes their subcontractors and supply chain that share in FCI and CDI.
CMMC is designed to measure the cybersecurity maturity of an organization through three different levels. The levels consist of cybersecurity best practices, frameworks, and standards from the community. Each level has a set of practices, which build on the previous level.
However, with the flux in the CMMC model, the DoD announced the Interim Rule, which went into effect November 30, 2020. As of that date, contracting officers will check the Supplier Performance Risk System (SPRS) database to confirm that a contracting agency has an active SPRS Assessment prior to the award of a new contract or the continuation of an existing one.
While you can now self-assess using the SPRS database, it is not as straightforward as you might think (or want).
The 3 Levels
Level 1 is equivalent to the entire safeguard requirements from FAR Clause 52.204-21
Level 2 builds on Level 1 and now includes all the safeguards requirements from NIST SP 800-171
Level 3 continues the process even further will be based on a subset of NIST SP 800-172 requirements
The Department of Defense (DoD) disclosed changes to the original CMMC model, resulting in this current CMMC 2.0 model.

Source: acq.osd.mil/cmmc/model.html
So how do you achieve CMMC compliance?
And which level do you need? Unlike in the past, companies must now have a third-party validate their CMMC compliance. Basically, compliance requirement is now necessary to continue to do business in this industry.
We understand this is not your business. It is ours.
Our objective to our clients is simple:
We provide solutions ideally suited to remove the additional tasks that burden the client such as:
- Tracking users on their awareness training process or phishing exercises
- Conducting vulnerability assessments and remediation priorities
- Near real-time review of continuous security monitoring solutions
The Cybersecurity Industry
There are many cybersecurity companies making changes to their specialties to try to help organizations comply with the CMMC regulation.
And just like every industry, just because a company is in a similar industry and provides a product or specialized service on a particular topic, it doesn’t mean they are qualified to conduct a new business practice.
You need someone that is experienced in providing the proper controls and documentation that you will need to continue to work on federal contracts.
You need experienced subject matter experts.
What Sets Duffy Compliance Services Apart
Our Methodology
We have a proven methodology that sets us apart. Anyone can look at the compliance security requirements. The real power comes from knowing how to cover security requirements using existing infrastructures and new technologies that don’t require additional staff commitment. We know how to put them in place. We have created a proprietary three-phase approach to understand where you are, get you compliant, and then keep you there.
Phase 1
Gap Analysis (Finding out what you need to be in compliance)
To know where you are in order to know the path to get to where you need to be. Then you need a plan to get there (Phase 2).
Phase 2
Remediation Process (Getting you to compliance)
Using the plan in Phase 1, conduct the necessary to the changes, such as encryption, intrusion detection, system monitoring, and role-based access controls.
Many programs end here. However, we add Phase 3 because security is a process, not a single event.
Phase 3
Security Maintenance (Keeping you in compliance)
Ensure periodic controls are active and in place. Some examples of these controls include continuous monitoring, scheduled vulnerability assessment, reviews of policies and procedures, table-top exercises, and security awareness training and phishing exercises.
What are the penalties for not complying?
Penalties for non-compliance are simple but effective. If you are not compliant, you are no longer permitted to bid on new government contracts. If you are already awarded or subcontracting to a contract that now requires CMMC certification, you will run the risk of being removed from those projects.
Provide your IT staff the support they need to be sure your data is safe.
Win and Retain Government Contracts
With a CMMC certification you are able to continue and pursue the government work you already are qualified to be engaged on.
Build your compliance package
The deliverables are the policies, procedures, tests, and tracking system of the CMMC compliance status all bundled in a “compliance package” that an auditor can use to confirm the organization is meeting the mandates required by the government to secure CUI data.
How do CMMC and CUI work together?
CMMC CMMC has three levels of maturity. Level 1 is basic cybersecurity hygiene and requires only the protections as prescribed in the regulation. These controls are the minimum requirement to bid on federal contracts. This requirement is for federal contract information (FCI) provided by or generated for the Government under contract and not intended for public release.
CMMC Level 2 is the first advanced requirement for CUI material. This level will mirror NIST SP 800-171 (110 security practices).
CMMC Level 3 is the expert level that will be based on a subset of NIST SP 800-172 requirements.
CMMC Compliance
Benefits
Every organization looks forward to new business. Ensure your compliance is in effect before you lose the ability to bid on future government contract work.
The CMMC requirements apply to all components of the federal and non-federal information systems and organizations that possess, store or transmit FCI or CUI. If your organization provides protection or security for these areas, the requirement also applies.
Reliability
You get peace of mind knowing that you can pass an audit. More importantly, you are properly protecting controlled information!
Working Plan
You are more aware of your own security posture and have a working plan to keep it protected.
Work with Prime Contractors
More Business Opportunity! You can work with prime contractors on CMMC bids where they can use your services.
Corporate Image
Your clients and employees can see your dedication to protecting your business and its data. This discourages sloppy security practices across the enterprise.
Why Choose Duffy Compliance?
We bring decades of experience in implementing NIST security controls and best practices. We understand system security risk and how it affects system architecture. Our enterprise-level experience allows us to tailor solutions to your organization’s unique set of requirements that get you compliant with as little change and disruption as possible.
Duffy Compliance Services gives you peace of mind to know that your compliance effort is being professionally handled, and your data is safe and secure. There have been many times we have been called to an organization after a security breach or event. It is much more expensive to clean up a breach than it is to prevent one.
Duffy Compliance Services, a provider of cybersecurity consulting and compliance services is a candidate Certified 3rd Party Assessor Organization (C3PAO) by the CMMC Accreditation Body. A C3PAO is authorized to schedule, manage, and provide assessments for organizations seeking to be CMMC compliant.

Click here to book your no-obligation 15-minute CMMC compliance consultation with one of our Compliance Information Specialists. This conversation will help you understand exactly what is needed to avoid problems with these new regulations. A few minutes now could ensure your ability to continue as a Federal contractor (prime or sub).
We can help as a Fractional Compliance Officer, CUI compliance, CMMC, Cyber Security Awareness Training, Supplier Performance Risk System (SPRS) Consulting, and more. We have several decades of cybersecurity and compliance experience in Maryland, the Greater Washington DC area, and beyond.