Compliance · Defense Contractors
Understanding CMMC — What It Means for Your Business
If your company does any work for the Department of Defense, a cybersecurity requirement called CMMC now affects your ability to win and keep that work. Soon you won't just promise you're secure — you'll have to prove it through an independent assessment before the contract is awarded.
Why This Matters
Proving You're Secure — Not Just Promising It
CMMC — the Cybersecurity Maturity Model Certification — is the DoD's way of confirming that the companies it works with actually protect sensitive government information. The rule is now in effect and phases in over time. For many contracts, an independent certification will be required before you can be awarded the work.
Circle November 10, 2026
That's the point at which most contracts involving controlled information will require third-party certification before award. Because earning that certification commonly takes 12 to 18 months, the time to start is now.
What's Happening
The Timeline, in Plain Terms
The rule is live and rolling out in phases. Here are the dates that matter most.
The rule took effect
The DFARS acquisition rule is now live, phasing in over three years. Contracts that involve CUI began requiring a Level 2 self-assessment.
Third-party certification kicks in
The date to circle. Most contracts involving controlled information will require an independent, accredited assessment before the work can be awarded.
Typical time to certify
Earning certification commonly takes a year or more — assessment, documentation, and remediation all take time. The time to start is now, not next year.
The Three Levels
Which One Applies to You?
It usually comes down to one question: do you handle Controlled Unclassified Information?
Level 1
You handle basic Federal Contract Information (FCI).
How you prove it
You assess yourself once a year.
Level 2
Most commonYou handle Controlled Unclassified Information (CUI). Most contractors are here.
How you prove it
An independent, accredited assessor (a C3PAO) certifies you.
Level 3
You handle the most sensitive information and face advanced threats.
How you prove it
The government assesses you directly (DIBCAC).
Not sure which applies to you? That's exactly the kind of question we help answer. Ask our team.
Your Next Steps
What You Should Do Now
Five practical moves, in order. The earlier you start, the smoother — and cheaper — this gets.
Find out if you're affected
Check your DoD contracts and ask your prime contractors whether CMMC requirements are coming. If you handle CUI, assume Level 2.
Get a gap assessment
Before you can certify, you need to know where you stand against the 110 security controls Level 2 requires. This is the single most useful first step.
Build your plan and paperwork
Certification requires a documented security plan (an SSP) and a remediation plan (a POA&M) for anything not yet in place.
Start early — assessor capacity is limited
There are only so many accredited assessors, and the line is growing. Companies that wait face higher costs and a real risk of missing contract deadlines.
Confirm your IT can handle CUI
Standard commercial email and tools often aren't enough for CUI — you may need a specialized, government-grade environment. We can advise on this.
Buyer Beware
What to Watch Out For
A few red flags that separate a legitimate CMMC partner from a shortcut that will cost you later.
One vendor can't both fix and certify you
If a vendor offers to remediate your gaps and certify you, walk away. That's a conflict of interest the rules prohibit — readiness help and the certification assessment must come from separate organizations.
SOC 2 is not the same as CMMC
If someone claims your existing certifications (like SOC 2) automatically make you CMMC-ready, be skeptical. They help, but they are not the same thing.
There's no certify-in-a-week
If you're told you can get certified in a few weeks, be cautious. Done properly, this is a months-long effort.
How KeyStone Helps
Get Ready, and Stay Ready
We assess where you stand today, build the security plan and documentation the assessment requires, put the right protections in place, and manage them over time so you stay compliant after you're certified. Wherever your sensitive data needs a more secure home, we'll help you design and run it.
- Gap assessment against the 110 Level 2 controls
- System Security Plan (SSP) and POA&M development
- Remediation and ongoing managed compliance
- Government-grade environments for handling CUI
A clean separation
We work alongside an independent assessor for the certification itself — keeping that separation clean is part of doing this correctly, and it's what the rules require. KeyStone gets you ready; an accredited C3PAO certifies you.
The CMMC Client Advisory
A clean, two-page summary of what CMMC means, the three levels, the deadline, and the steps to take. Share it with your leadership team.
FAQs
Frequently Asked Questions
Does CMMC apply to my business?
What's the deadline I need to know?
Which CMMC level do I need?
How long does certification take?
Doesn't my SOC 2 certification make me CMMC-ready?
Can one company fix my gaps and also certify me?
What documentation does CMMC require?
How does KeyStone help with CMMC?
Based on the DoD CMMC program (DFARS rule effective Nov 10, 2025; Level 2 third-party certification phasing in Nov 10, 2026). Source: dodcio.defense.gov/CMMC. This guide is general information, not legal or compliance advice — your specific path depends on your contracts and the data you handle.
Get Started Today
Curious What Better IT Looks Like?
A free, honest conversation about what's working, what's not, and whether we're the right partner for your business. No pressure, no sales pitch — just straight talk.