Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The CMMC: Answers About What to Expect and What it Means to You

As we kick off the New Year, Defense Industrial Base (DIB) and its 300,000+ members are legally required to bolster their defenses and align IT security with the Cybersecurity Maturity Model Certification (CMMC) in 2020.

Given the current cyber climate, security leaders must bolster data security defenses and make tactful adjustments to their security strategy. Depending on the sector they operate in, many don’t have a choice but to comply given the regulations in place. That happens to be the case with organizations in the  DIB and the thousands of entities that make it up. Once the first draft of the Cybersecurity Maturity Model Certification (CMMC) was issued by the U.S. Department of Defense (DoD), suppliers, contractors, and subcontractors who serve DoD, were put on alert comply or risk current and future business pursuits.

The CMMC framework is an example that the fight against data exfiltration by threat actors and nation-states, is real and the DIB needs to act quickly to comply.

As the looming deadline approaches, we’ve decided to answer ten general (but important) questions you likely have when it comes to the new regulation.

1. What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a government requirement that will categorize multiple levels of cybersecurity to assess the maturity of a company’s implementation of cybersecurity controls, practices, and processes. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced.”

2. Who needs CMMC?

All contractors or suppliers (prime and sub-contractors) doing business with the DoD will be required to comply with CMMC. Examples include system integrators, equipment manufacturers, service providers, and suppliers -  all of which need achieve a CMMC rating if they wish to continue to do business with DoD. The requirement for CMMC is the DoD’s first step in enhancing the security, visibility, and situational awareness of the DIB and the 300,000 organizations that make up the DoD Supply Chain.

3. Why was CMMC created?

Originally, DoD required compliance with NIST 800-171 which DIB members could self-certify.  DoD discovered that actual compliance is lacking; therefore, now a third-party assessment is required to document cybersecurity controls, practices and processes, and determine cybersecurity maturity level. The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases the risk to national economic security and, in turn, national security.

4. Who is creating CMMC?

To secure the DoD Supply Chain, the DoD is creating the CMMC compliance program in collaboration with Johns Hopkins Applied Physics Lab, Carnegie Mellon Software Engineering Institute, and industry. CMMC firmly establishes security as the foundation for acquisition and combines the various cybersecurity standards into a unified standard that will serve as a requirement to do business with the DoD.

5. What is CMMC based upon?

The CMMC intends to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

All contractors, sub-contractors, and suppliers will need to prove adequate cybersecurity controls by fall 2020.

6. When does CMMC go into effect?

CMMC will go into full effect by fall 2020.

Third-party assessment Organizations (3PAOs) will be trained as early as April/May 2020 timeframe. The CMMC will appear in Requests for Information (RFI’s) by June 2020 and Requests for Proposal (RFP’s) as early as August/September 2020. That means that all contractors, sub-contractors, and suppliers will need to prove adequate cybersecurity controls, practices and processes via a 3PAO assessment, and certification before bidding on new or renewed work by fall 2020.

7. How do I get started with CMMC?

If you are a government contractor, sub-contractor or supplier, it is best to begin with a pre-assessment to review your current security maturity level and identify any gaps in your security posture based on the level that you are trying to achieve.

  • Level 1: 17 practices to achieve “Basic Cyber Hygiene”
  • Level 2: 55 additional practices to achieve “Intermediate Cyber Hygiene”
  • Level 3: 59 additional practices to achieve “Good Cyber Hygiene”
  • Level 4: 26 additional practices to achieve “Proactive”
  • Level 5: 16 additional practices to achieve “Advanced Progressive”

From there, you may need to work with different cybersecurity solution providers to implement controls, practices and processes that meet any of the 17 domains that align with the maturity level your company is seeking.

Once you have what you believe to be complete controls in place, you will meet with a 3PAO for your third-party assessment. The assessment will provide a certification verifying the level of security maturity which will, in turn, determine the contracts you can bid on thus protecting your current and future business pursuits with DoD.

8. Where can I get a CMMC assessment or certification?

Assessments and certifications will be provided by a number of C3PAOs.

9. What if you are certified at a level too low?

If you receive an assessment from a 3PAO that is at a level too low for you to renew existing contracts or bid on new contracts, you can work with different cybersecurity solution providers to implement controls, practices, and processes to strengthen your cybersecurity posture and get reassessed.

See which domains Trustwave can help with here.

10. What else do I need to know about CMMC?

CMMC is slated to go into full effect by fall 2020 but will also have ongoing certification requirements. While the regulation is not yet final, we expect to see annual (Level 4 and 5), bi-annual (level 3) and ongoing (every 3 years for Level 1 and 2) certification requirements for all practice levels.

Additional FAQs can be found on the DoD website.

For more updates and changes tied to the regulation, stay tuned to for more insights from Trustwave experts and be sure to read about these five important items you need to prepare for.


Sharon Payne is the director of Partner Channel Development at Trustwave specializing in compliance with the CMMC.

Latest Trustwave Blogs

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More

Get to Know MXDR: A Managed Detection and Response Service for Microsoft Security

The Microsoft 365 E5 license gives users entitlements to numerous Microsoft Security products—so many, in fact, that as companies deploy the Microsoft Security suite, they may need a managed...

Read More

Trustwave eBook Now Available: 8 Experts on Offensive Security

It is now obvious that defensive measures alone are no longer sufficient to protect an organization from cyberattacks. Threat actors are increasing their capacity at such a rate that merely sitting...

Read More