DOD Cybersecurity Compliance

Get your business ready for the new CMMC requirements

Simpatico Systems CMMC Registered Provider Organization

Simpatico Systems is proud to be a Registered Provider Organization (RPO).  Your company can trust Simpatico Systems with your CMMC and DOD Cybersecurity needs!  Find us on the CMMC-AB Marketplace list of providers.

What is CMMC?

What are the CMMC Levels?

When does the CMMC go into effect?

How do I achieve CMMC Compliance?

What is the CMMC?

Inside the Cybersecurity Maturity Model Certification (CMMC)

If your business depends on Department of Defense (DoD) contracts, then you are already aware of their Defense Acquisition Federal Regulation Supplement (DFARS) mandate published in 2015 requiring DoD contractors to adopt the cybersecurity standards outlined in NIST’s SP 800-171 cybersecurity framework. Because the failed, somewhat self regulated, honor system which was incentivized with a competitive advantage in winning contracts, the slow adoption rate and false claims of compliance, the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) model.

The CMMC model will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”

The intended destination for the CMMC model combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53ISO 27001ISO 27032AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.


What do we know about the CMMC?

The DOD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).

The CMMC will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified Information (CUI) that resides on the Department’s industry partners’ (Contractors) networks.


What can DOD contractors expect as this is pushed out?

DoD contractors will have to become CMMC certified by passing an audit performed by a DoD accredited auditor. Contractors will have to meet the appropriate level of cybersecurity for their business. This will become the requirement for anyone who wants to hold contracts with the Department of Defense or work as a subcontractor on DoD related projects.

CMMC Levels

What level of CMMC is right for me and my business?

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we currently know about the CMMC levels and their respective requirements:
Note: This information is based on Version 0.7 of the CMMC model. The number of controls per level could change in future revisions of the CMMC model. We will update this document as official updates are released. For more information, a full list of frequently asked questions can be found here.

Level 1

Basic Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.

Level 2

Intermediate Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.

Level 3

Good Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other” controls.

Level 4


In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls

Level 5

Advanced / Progressive

In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new  “Other” controls

What level of the CMMC will I need to get certified?

This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. The entire point of CMMC is to make it more feasible for small to mid-sized business to become compliant while ensuring that any sensitive information or CUI your organization handles remains safe. This means that most companies will fall under Level 1 or Level 2 (which will map 64 controls from 800-171), while prime contractors can expect to become Level 3 certified (which will map all 110 controls from 800-171). Level 4 and 5 (which will map additional controls found in 800-171revB) are going to typically be required of the large primes like Lockheed Martin and Northrop Grumman.

When does CMMC go into effect?

CMMC Timeline

How do I achieve CMMC compliance?

Defense contractors are not compliant with CMMC until they coordinate with an accredited and independent third party certification organization to perform a CMMC audit.  It is in contractors best interest to partner with an agency like Simpatico Systems to help them prepare for a CMMC audit.


What should I do to prepare for an audit?

  • For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
  • For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.

Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.

If you would like to speak with someone about preparing for a CMMC audit, give us a call at (806) 224-0300 to schedule a free consultation.

What should I do right now?

Regardless if you choose to keep this in house or outsource, you will need to know how close or how far away from meeting any of the five levels of the CMMC your business is. The most effective way to accomplish this is to have a third-party perform a gap assessment to discover inadequate system setups and processes that may not meet all of the required controls.

Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements. The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.

Simpatico Systems understands the urgency around obtaining compliance. Also the complexity around navigating NIST compliance and the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems and ensure a successful audit and certification.

Cybersecurity insurance is an essential part of any modern business strategy. However, meeting the insurance requirements can be a complex process. As an experienced MSP, we can streamline this process, ensuring that you meet and exceed these requirements while
simultaneously improving your overall cybersecurity posture.

Contact us today to find out more about how we can help you navigate the audit process for your cybersecurity insurance. Protecting your digital assets has never been more critical; let us help you do it right.

When bidding on large contracts, one aspect that benefits our chances of winning are getting all points available on Cyber Security evaluations. The benefits provided by Simpatico’s Cyber Security Program helps our company stand out from the competition because of the thorough understanding of potential threats.

Angela Barnes, ITS Quest, Inc.

Simpatico has allowed us to focus on our business and not technology. They have handled our phone and data networks with a sense of professionalism and urgency; making us more profitable and our customers extremely happy.

Nathan Zeigler, Principle Nathan Zeigler & Associates

The Cyber Security Program Simpatico offers provides an interesting and fun way for our staff to learn and become more aware of potential threats. The information in the training has influenced our company’s policy & procedures, allowing us to be more proactive when it comes to protecting data we are responsible for.

Sarah Reagan, ITS Quest, Inc.