Consist Tech Logo
Gold hexagons against an abstract, black background

Our Solutions CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard developed by the U.S. Department of Defense (DoD) to protect sensitive information shared with defense contractors and subcontractors. Implemented to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC represents a significant shift in how the defense industrial base approaches cybersecurity.

What Being CMMC Compliant Means

Achieving CMMC compliance means your organization has:

Implemented Required Security Controls You’ve established specific cybersecurity practices and processes appropriate to your certification level, including access control, incident response, risk management, and system monitoring.

Documented Your Processes Compliance requires comprehensive documentation demonstrating how your organization implements and maintains security controls, including policies, procedures, and evidence of practice.

Undergone Assessment Depending on your level, you’ve completed either a self-assessment or passed a third-party audit conducted by a CMMC Third-Party Assessment Organization (C3PAO).

Committed to Continuous Compliance CMMC isn’t a one-time achievement—it requires ongoing maintenance, regular reassessments, and continuous improvement of your cybersecurity posture.

The Three CMMC Levels

Level 1: Foundational

  • Focuses on protecting Federal Contract Information (FCI)
  • Requires implementation of 17 basic cybersecurity practices
  • Primarily involves annual self-assessments
  • Appropriate for contractors handling only FCI

Level 2: Advanced

  • Designed to protect Controlled Unclassified Information (CUI)
  • Requires 110 security practices aligned with NIST SP 800-171
  • Mandates third-party assessment for certain contracts
  • The most common level required for defense contractors

Level 3: Expert

  • Addresses advanced persistent threats (APTs)
  • Builds upon Level 2 with additional advanced practices
  • Required for contractors handling the most sensitive CUI
  • Always requires government-led assessments

Key Requirements Across All Levels

Access Control

Limiting system access to authorized users and devices

Awareness and Training

Ensuring personnel understand security responsibilities

Configuration Management

Establishing and maintaining secure system configurations

Identification and Authentication

Verifying user and device identities

Incident Response

Having plans to detect, respond to, and recover from security incidents

Maintenance

Performing regular system maintenance and updates

Media Protection

Protecting and sanitizing data storage media

Physical Protection

Securing physical access to systems and facilities

Risk Assessment

Identifying and managing cybersecurity risks

Security Assessment

Regularly evaluating security control effectiveness

System and Communications Protection

Monitoring and controlling communications

System and Information Integrity

Protecting against malicious code and system flaws