By Chor-Ching Fan

With theft of Controlled Unclassified Information (CUI) on the rise, DoD announced the Cybersecurity Maturity Model Certification (CMMC) program on May 24, 2019. CMMC will require cybersecurity audits and certification for DoD contractors beginning in 2020/2021.

Based on NIST 800-171 controls, the CMMC will be a single standard for all DoD contracts and will require a third-party auditor to certify compliance with appropriate NIST 800-171 controls for handling CUI, rather than allowing contractors to self-certify. CMMC identifies five levels of CUI security to accommodate reasonable security for individual contractors.

  • CMMC Level 1 – Basic Cyber Hygiene: 17 security controls
  • CMMC Level 2 – Intermediate Cyber Hygiene: 46 additional security controls
  • CMMC Level 3 – Good Cyber Hygiene: 47 security controls – equivalent to  NIST SP 800-171.
  • CMMC Level 4 – Proactive: NIST 800-171 plus 26 additional security controls 
  • CMMC Level 5 – Advanced/Progressive/ State-of-the-Art: 800-171 plus 30 additional security controls

The required CMMC level for a contract will be published in RFP sections L & M.



For defense contractors, CMMC represents more stringent DoD scrutiny of security controls. Many contractors struggled to comply with self-certification under previous NIST 800-171 regulations and are wondering how to keep up with new CMMC requirements. The answer is Rizkly, a comprehensive, yet affordable CMMC compliance solution offering a powerful app combined with included CMMC compliance advisory tailored for smaller defense contractors. Rizkly’s Guided Security & Compliance (GSC) service simplifies your compliance project with:

  • affordable pricing that works for small and mid-sized DoD contractors
  • built-in checklists, instructions and control statements
  • simple tasking and tracking 
  • automatic SSP & POAM generation
  • a certified NIST and CMMC compliance advisor to answer questions and ensure you succeed on-time

If you’re wondering how you’ll achieve CMMC compliance in time,  we’d be glad to talk to you.  Just provide us your contact and we’ll pick up the phone and call you to discuss.