DoD Contractors

(Organizations Seeking Certification - OSC)


There are more than 300,000 vendors in the supply chain to the DoD, each of which will require assessment. 

Organizations Seeking Certification include:

  • Prime Contractors

  • Subcontractors

  • In short, every organization that sells or services the Department of Defense 

The theft of intellectual property and sensitive information undermines our nation's defense posture and economy.  Global costs last year are estimated at $600 billion, with an average cost per American of $4,000. 

It is time for action.
  • Prime contractors and subcontractors must be certified under CMMC standards to any one of five levels.  The highest levels are reserved for organizations exposed to the most sensitive information.
  • The implementation rollout will begin 1 September 2020, and take up to 5 years.
  • If a contract requires CMMC certification it will be listed in the Request For Proposal (RFP) Sections C and L.
  • The CMMC-AB will provide the standard for applying the model and certify trainers who will train assessors.
  • The CMMC-AB will provide an online marketplace where organizations can find an available, qualified C3PAO.
  • A certification will last 3 years, provided there are no incidents or other triggers inducing a second look at an organization.

Obtaining a CMMC Certification

What we don't know...   

We don't yet have the thresholds for validating compliance.  We are building the CMMC standard now that the model has been released.

Training for assessors depends upon the CMMC standard, it has not yet been created.

Since the accreditation of C3PAOs and assessors depends on accrediting training, be wary of experts who claim they can guarantee compliance.  They can not.  Instead focus, on DFARS/NIST 800-171 compliance.  It is the law (since 31 December 2017).  Non-compliance can put your business with the government at risk. 

We do not yet have a timeline.   We are working on the many moving parts.


But wait. We are just getting started. 

Come back here often for detail and sign up below for alerts and emails. 

There is much to come, we will provide information as we build it.


Contractor (Organizations Seeking Certification)

For information about the CMMC-AB program delivered right to your inbox, subscribe below.  Your contact details may be shared with C3PAO's, once they become certified, as your license is expected to be required to be associated with a C3PAO.

Board Ethics

Site Improvements?
CMMC (Cybersecurity Maturity Model Certification) Accreditation Body