CMMC Certification: A New Era in Cybersecurity Readiness
Matt Hoeper, Katherine Adams, Tyler Gormus
Edwards Cybersecurity Team
The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC), a landmark framework aimed at protecting sensitive information across the Defense Industrial Base (DIB). This move has been years in the making and represents a significant shift in how contractors approach cybersecurity. As Edwards’ Lead Certified CMMC Assessor (CCA), Matt Hoeper, puts it, “CMMC is more than a compliance checkbox—it’s about building better cyber hygiene to safeguard sensitive data and support national security.”
But what does this mean for contractors, and how can organizations prepare for these evolving requirements? Let’s break it down.
The New Framework
CMMC now consists of three levels, each addressing progressively stringent cybersecurity requirements:
- Level 1: Self-assessment for basic security practices, primarily for Federal Contract Information (FCI).
- Level 2: Third-party certification, focusing on 110 security controls from NIST 800-171 for Controlled Unclassified Information (CUI).
- Level 3: Comprehensive assessments incorporating additional requirements from NIST 800-172, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
“These levels provide clear benchmarks for organizations,” explains Hoeper. “But what’s critical to understand is that this rollout will affect more than just contracts. Prime contractors may push Level 2 requirements onto their supply chains, making preparation key for any organization handling CUI.”
A Call to Action & Why CMMC Matters
Organizations must begin their CMMC journey now. Katherine Adams, Senior Cybersecurity Consultant at Edwards, emphasizes the urgency: “This is not a sprint—it’s a long-distance run to shore up and protect the interests of the U.S. Companies need to view cybersecurity as an investment, not a burden. Those who hesitate risk being left behind.”
To get started, Hoeper recommends partnering with a trusted Registered Practitioner Organization (RPO) or a CMMC Third Party Assessor Organization (C3PAO). “Find experts who can conduct a gap analysis and help you navigate the path to certification,” he advises. “Just remember, if you work with a C3PAO to prepare, they can’t also assess you. Trust is key in choosing the right partner.”
The stakes are high. Tyler Gormus, another Senior Cybersecurity Consultant at Edwards, points out, “NIST 800-171 has been a requirement for years, but CMMC formalizes the process. It’s a way for companies to showcase their ability to protect CUI and FCI, ensuring they remain competitive for DoD contracts.”
Beyond compliance, CMMC is about elevating the overall cybersecurity landscape. Strengthened protections mean fewer vulnerabilities and more secure supply chains. By embracing these standards, organizations contribute to a more resilient national defense infrastructure.
How Edwards Can Help
Edwards Performance Solutions is uniquely positioned to support contractors on their CMMC journey. As both a Registered Practitioner Organization (RPO) and CMMC Third-Party Assessment Organization (C3PAO), we offer comprehensive services, including readiness assessments, policy creation, and tailored strategies to meet certification requirements.
“This isn’t just about meeting DoD requirements,” Hoeper adds. “It’s about positioning your organization for success in a more secure and competitive environment.”
Are you ready to take the next step? Contact Edwards today to learn how we can guide your organization toward CMMC compliance and long-term cybersecurity resilience.