Is your organization ready for CMMC 2.0?


Is your organization ready for CMMC 2.0?

By Ann Collins, Executive Vice President of LearnSpectrum

Cybersecurity is critical these days. Nowhere is this truer than our national security. It’s why the Department of Defense requires Cybersecurity Maturity Model Certification (CMMC) for its contractors. There is a lot of information out there about CMMC, and its latest incarnation CMMC 2.0. As an executive of an organization that works closely with defense contractors, I wanted to distill the information down to the key points and provide resources for further research.

If, after reading this blog, you or your organization has any questions or would like to know more about how we can help you with other training or learning needs, feel free to email me at – I’d love to talk to you! 

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework to protect the defense industrial base’s (DIB) Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from frequent and increasingly complex cyberattacks.1  By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department of Defense (DoD) assurance that contractors and subcontractors are meeting the DoD’s cybersecurity requirements.

CMMC has been around for some time but was recently updated to a “2.0” version to ensure accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements.

CMMC 2.0 measures the implementation of cybersecurity requirements at three levels:

  1. Level 1 Foundational – Encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21
  2. Level 2 Advanced – Encompasses the security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012
  3. Level 3 Advanced – Requires standardized, optimized, and enhanced processes to respond to every-changing and sophisticated tactics of ATPs (Advanced Persistent Threats).

Who needs to be certified?

With limited exceptions, the DoD intends to require compliance with CMMC as a condition of contract award for anyone working with DoD information.3 Specifically, it is required if/when DoD CUI and/or FCI will be processed, stored, or transmitted on a contractor information system.4

Contractors must achieve certification before they can win future government contracts.

By when does your organization need to be certified?

CMMC requirements could begin appearing in contracts as early as May 2023. Getting key personnel trained and certified is part of the path to organizational readiness for Organizations Seeking Certification (OSCs), and this process can take months. You don’t want to wait. Plus, as an early adopter, you may gain an advantage over others not yet certified. 

CMMC requirements could appear in contracts as early as July 2023.

How do organizations get certified?

CMMC certifications are provided by an authorized and accredited CMMC Third Party Assessment Organization (C3PAO) or certified CMMC Assessor.  To find an authorized C3PAO, visit The Cyber AB CMMC Certification Marketplace. Cyber AB is the official accreditation body of the CMMC ecosystem.

Only engage with a C3PAO or assessor if you are certain your organization already meets CMMC requirements.

How do you prepare for organizational certification?

The first step is enrolling employees in training to prepare for the certification exam(s).  But, with all the potential CMMC training providers and courses out there, where do you start? 

Recommended CMMC 2.0 training courses 

LearnSpectrum is proud to partner with several CMMC Licensed Training Providers: Learning Tree, Infosec, and Training Camp, who offer informational based courses on CMMC, as well as the certification preparation courses for CCA and CCP.

Below are three recommended courses. Each has nuances and targeted roles, so click on each course’s link to learn more.

Email me at if you have any questions or would like a quote for any of the courses. 

Once certified, where do you reflect that compliance?

The required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs), if utilized.6

Resources for more information

As mentioned, if you have a question about CMMC 2.0 or would like a quote for any of the courses I cited, please drop me an email at 

You can also follow me on LinkedIn at


Is your organization ready for CMMC 2.0?

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.