What is

The Cybersecurity Maturity Model Certification (CMMC) is a framework of five increasingly stringent control levels developed by the Department of Defense to protect its supply chain from cyberattacks.  

 Sign up for future Federal Compliance Webinars and get exclusive updates on CMMC.

CMMC compliance checklist

Check out our 5 Steps to CMMC Compliance Checklist to get started on your journey to compliance.


Who is affected by CMMC? 
All government contractors working with the DoD will need to become CMMC-certified by passing an independent CMMC audit from a C3PAO to verify they have met the appropriate level of cybersecurity for their business. The CMMC level required will be specified for each contract by the DoD in the Request for Information (RFI) and Request for Proposals (RFP). 

When will you need to meet the appropriate certification level?
Government contractors will need to be compliant at the time the contract is awarded. 

Are subcontractors affected? 
Yes, subcontractors working under a prime contractor will be expected to also maintain compliance. 

What’s the difference between NIST 800-171 and CMMC? 
CMMC differs from NIST 800-171 because it includes five levels of cumulative practices and processes – this focus on processes is one major difference. CMMC seeks to institutionalize these processes, so that they will continue to be performed. 

Will I need to be re-certified every year?
Yes, CMMC certification is required on an annual basis. 

Catch up on the latest Federal Compliance Webinar

Watch this exclusive Q&A series with Tony Bai, where he provides real insights on the latest in CMMC. 

About our CMMC team

Tony Bai

Federal Practice Lead

A 20-year Air Force retiree, Tony is responsible for overseeing NIST-based engagements, including FedRAMP, FISMA, and 800-171, and providing cybersecurity advisory and guidance to our clients. He has over 27 years of IT experience with the last 10 years specializing in cybersecurity, providing risk assessments for government agencies and Fortune 500 companies across multiple industries. 

And when he’s not leading the federal team at A-LIGN? You can catch him at comic book conventions or supporting his children’s Boys and Girls Scouts troops.   

CMMC Explained

CMMC explained: practices, processes, domains & levels

What is the Cybersecurity Maturity Model Certification?

CMMC expert advice on Cybersecurity Certification next steps

FedRAMP, FISMA, NIST & CMMC: understanding federal compliance

Talk to an expert

Why choose A-LIGN?

Real federal experts, real insights

20 years of Federal compliance experience including FedRAMP, FISMA, and NIST 800-171 

Among the first designated C3PAOs for CMMC

Copyright © 2021. All rights reserved.