Cybersecurity Maturity Model Certification

For Department of Defense (DoD) contractors that collect, process, or store controlled unclassified information

View customer success stories Take the next step

New to the Cybersecurity Maturity Model?

Learn more about the framework, requirements, and the certification process and how 360 can support your certification efforts.

The compliance standard is an evolution of the DFARS 252.204.7012 and NIST 800-171 standards and is meant to protect the nation’s most sensitive data.

Designed to enhance the cybersecurity posture of the Defense Industrial Base (DIB), the framework combines several cybersecurity standards and best practices with controls mapped across several maturity levels.

Readiness Assessments

If you are new to federal cybersecurity and compliance requirements, we can help you determine which practices are in scope for your desired level of certification.

From there, we can conduct a gap analysis that evaluates your controls through the lens of the CMMC framework. Our auditors help you identify areas of non-compliance, then create a prioritized action plan for remediation.

Self-assessments will be required on an annual basis. When CMMC certification is required, C3PAO assessment (Level 2) or Government assessment (Level 3), will be required every three years.

Who Is Required to Have a CMMC?

CMMC is mandatory for all organizations that do business with the United States Department of Defense, including non-federal contractors and sub-contractors.

Can I Self-Certify?

Certifications must be provided by an independent CMMC auditor, also known as a C3PAO or CMMC assessor. Companies associated with the new Level 1 and some Level 2 acquisition programs are allowed to perform self-assessments.

CMMC Levels

The CMMC comprises three levels, each one covering a progressively higher number of practices and processes.

Organizations are encouraged to choose the maturity level that best supports their business goals, as well as their data processing activities.

Level 1-Foundational
15 requirements and is an annual self-assessment and annual affirmation

Level 2-Advanced
100 requirements aligned with NIST SP 800-171 and is a triennial third-party assessment and annual affirmation and a triennial self-assessment and annual affirmation for select programs

Level 3-Expert
110+ requirements based on NIST SP 800-171 and 800-172 and is a triennial government-led assessment and annual affirmation

The Relationship between NIST and CMMC

CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard has been met. The Defense Federal Acquisition Regulation Supplement (DFARS) clause states the basic safeguarding requirements for Level 1 compliance. Under CMMC 2.0, a level 2 assessment will be conducted against the NIST SP 800-171 standard. A Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.

With 2.0 Published, Do Companies Still Need to Comply with 1.0?

The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised framework according to requirements set forth in regulation.

Certification Timeline

CMMC 2.0 will not be a contractual requirement until the DoD completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Learn more about CMMC
female government worker standing in in front of giant marble columns outside a government building

hear from our Federal Security clients

Quote

“I was introduced to the team,” Hindle said, “and right away there was a gel. It didn’t feel transactional. What 360 Advanced did for me was give me the confidence that I had a long-term compliance-services relationship”

Steve Hindle
Principal Chief Security & Compliance Officer | Spirion

Quote

“We work with them on every single project, so it’s really nice to have the history with 360 Advanced. They operate at a good pace—and they’re friendly.”

Emma Fountinelle
Information Security Engineer | Luma Health

Learn more about 360 Advanced’s Integrated Compliance Strategy with our free guide

Integrating your compliance needs into one strategy can save your business time and money. Download our free guide to find out how.

Download our Integrated Compliance Guide
compliance-report mockup

Contact

Begin your CMMC Certification journey today!

Whether you’re a current federal contractor or looking to bid on your first DoD contract, 360 Advanced can help you navigate the world of cybersecurity and compliance. Our team has experience with a variety of federal frameworks – from NIST and DFARS to FISMA and FedRAMP – and can help you meet your organization’s unique requirements. For more information about CMMC certification, contact us today.

360 Cyber News and Resources

Explore a wealth of knowledge in our client stories, insightful blogs, cutting-edge white papers, and the latest press releases—your gateway to a repository of expertise and industry insights.

Explore More
AICPA-SOC-Logo
CyberAB
PCI-QSA
FedRamp
ANAB
HITRUST

Cybersecurity and Compliance to match your organization’s needs. Learn more.

360 Advanced

200 Central Avenue, suite 2100
St. Petersburg, FL 33701
info@360advanced.com
+1 (866) 665-0962

Services

Resources

Learn About 360

360 Advanced managed cybersecurity services Logo Image

“360 Advanced” is the brand name under which 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC (and its subsidiaries) provide professional services. 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. 360 Advanced, Inc is a licensed certified public accounting firm (Florida license number AD67897) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and 360 Advanced Cybersecurity, LLC provides nonattest cybersecurity and compliance professional services to its clients. 360 Advanced Cybersecurity, LLC and its subsidiaries are not licensed CPA firms. 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC are independently owned and are not liable for the services provided by any other entity providing services under the 360 Advanced brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC.

Copyright @ 2025 360 Advanced Inc. | All Rights Reserved | Privacy Policy | Contact Us