Cybersecurity Maturity Model Certification (CMMC)

Preparing Your Company for Department of Defense Supply Chain Requirements

Earn the CMMC Certification You Need to Win DoD Contracts

Pratum’s experienced cybersecurity consultants will guide your organization through each step of the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC). If the DoD is ultimately your customer, you should start working now on your CMMC certification.

Anticipating CMMC’s launch in 2021, Pratum has been on the front edge of preparing clients to reach their CMMC goals. We are already working with firms on their readiness plans. Our deep experience with governing organizations means our consultants know the right questions to ask decision makers about your specific situation, better preparing you for a successful assessment.

Pratum’s work with the Federal Information Systems Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP) and more positions us to help companies pursue CMMC certification as soon as the standards are finalized.

Are you ready for CMMC?

We can get you there.

How CMMC Works

Beginning in 2021, the DoD will move toward requiring CMMC compliance for every vendor in its supply chain—300,000 companies when the process is complete. So whether your firm delivers completed fighter jets to the Pentagon or builds an electronic control inside those jets, your future contracts depend on earning your CMMC certification in the coming months.

Unlike previous DoD standards, you can’t certify yourself as compliant with CMMC. You’ll need to a retain a C3PAO to assess your organization. To make sure you pass that assessment, best practices suggest hiring a company to help you get ready. (The same company can not serve as both your consultant and assessor.)

Where to Start

  • Allow yourself 6 months to complete CMMC certification
  • Identify your desired Maturity Level to bid on DoD Contracts
  • Engage a CMMC-AB registered provider organization for guidance and prep

Finding the Right CMMC Level

Pratum will help identify the CMMC Level your work requires. The standard includes five levels that build on each other, with detailed protocols for Controlled Unclassified Information (CUI) at the higher levels. Only about 1% of DoD contracts will require Levels 4 and 5. But as this chart shows, the first three levels each represent a significant increase in controls. Properly identifying your required level and understanding its requirements will be critical to an efficient, successful assessment process.



Level 1

Basic Cyber Hygiene (17 Practices)

Focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21("Basic Safeguarding of Covered Contractor Information Systems")

Level 2

Intermediate Cyber Hygiene (72 Practices)

Serves as a progression from Level 1 to 3 and consists of a subset of the security requirements specified in NIST 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.

Level 3

Good Cyber Hygiene (130 Practices)

Focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.

Level 4

Proactive (156 Practices)

Focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Level 5

Advanced/Progressive (171 Pratices)

Focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Need help with CMMC?

Complete this form for more information
or to request a proposal.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.