GSA Blog

Get to Know the Cybersecurity Maturity Model Certification

Cybersecurity is of the utmost importance, particularly for contractors engaged with the U.S. government. The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard designed to ensure contractors have adequate cybersecurity practices and processes in place.

CMMC certification is a mandatory requirement for Department of War (DoW) contracting opportunities. GSA contract holders must meet the applicable CMMC level when pursuing or submitting proposals for DoW-related requirements.

Agencies rely on GSA’s expertise in IT acquisitions and the federal government’s collective buying power to ensure that products added to their IT environments meet security and risk management expectations and do not compromise network security. To that end, contractors should prepare for and become familiar with the CMMC level requirements. 

What is CMMC?

The CMMC program is a critical framework developed by DoW to protect sensitive information within the Defense Industrial Base (DIB). As a GSA contractor, understanding CMMC and its potential impact on your contracts is essential. The program has undergone revisions, and the latest version focuses on a tiered approach with varying levels of cybersecurity maturity. CMMC Phase 1 Implementation began on November 10, 2025 and focuses primarily on CMMC Level 1 and Level 2 self-assessments.

Here’s a brief overview of the CMMC Levels:

• Level 1 (Self-Assessment): Focuses on basic safeguarding of Federal Contract Information (FCI).
• Level 2 (Self-Assessment or C3PAO Assessment): Involves intermediate cybersecurity practices aligned with NIST SP 800-171, required for handling Controlled Unclassified Information (CUI).
• Level 3 (DIB Cybersecurity Assessment Center [DIBCAC] Assessment): Requires advanced cybersecurity practices based on NIST SP 800-172, designed to counter advanced persistent threats.

Key Takeaways for GSA Contract Vehicle Holders

• Awareness is Key: CMMC is a constantly evolving area. Contractors should stay informed about the latest CMMC requirements, guidelines and implementation timelines. The official DoW CMMC website and Federal Register notices are excellent resources.
• Understand Your Data: Determine the types of FCI and CUI your systems process, store or transmit while executing on your contracts and task orders.
• Assess Your Cybersecurity Posture: Evaluate your current cybersecurity posture against the relevant NIST Special Publications (e.g., suite of guidance for Controlled Unclassified Information).
• Consider the Costs: Factor in the potential costs and resources required to achieve and maintain CMMC compliance if it becomes a task order requirement.

How to Prepare for CMMC

The most effective preparation for CMMC involves conducting a thorough readiness assessment. Organizations should perform a self-assessment of their contractor-owned information system(s), as suggested in the CMMC Program Frequently Asked Questions [PDF], to verify that all necessary cybersecurity measures are fully implemented. 

Compliance requires meeting requirements of FAR clause 52.204-21 for Federal Contract Information (FCI) or DFARS clause 252.204-7012 for Controlled Unclassified Information (CUI). If the self-assessment reveals any deficiencies, companies must take immediate corrective action to resolve these gaps and fully implement the required security measures before scheduling a formal CMMC assessment.

Please NOTE: The federal government is undertaking the first-ever comprehensive overhaul of the FAR; content related to security requirements may have been relocated to new FAR Part 40.

CMMC is a crucial aspect of maintaining the security of sensitive government information. As a GSA contractor, staying informed, assessing your cybersecurity posture and preparing for potential CMMC requirements are essential steps. By taking proactive measures and using available resources, you can ensure compliance and continue to support the government’s mission effectively:

• Visit the DoW CMMC website for the latest updates and official guidance.
• The DoW CIO DIB Cybersecurity Program has compiled a list of no-cost Cybersecurity-as-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts.
• The CMMC Accreditation Body, currently the Cyber AB, has a marketplace of certified CMMC assessors, professionals and registered practitioner organizations that companies can engage now to prepare for CMMC implementation.
• The Defense Acquisition University offers free online CMMC and cybersecurity training.
• DoW’s Office of Small Business Programs has compiled a list of resources on their website that are aimed at helping small- and medium-sized businesses understand security requirements and reach compliance.
• Organizations across all sectors and of every size can utilize the foundational resources of NIST’s Cybersecurity Framework (CSF) to manage and reduce their cybersecurity risks.
• Visit GSA Interact to stay informed about proposed updates to CMMC requirements and prepare for any potential changes that may impact your compliance.
• Follow ITC on LinkedIn and subscribe for blog updates.