Cybersecurity Maturity Model Certification Program

Under the Cybersecurity Maturity Model Certification (CMMC) Program proposed rule, all Department of Defense (DoD) contractors and subcontractors who handle federal contract information (FCI) and Controlled Unclassified Information (CUI) will be required to maintain cybersecurity protections of their systems.

The CMMC will create three levels of compliance, depending on the level of security necessary for which the contractor has access. Level 1 has 15 requirements focused on logging access to potential FCI. Level 2 will be the minimum requirements for contractors handling CUI and adds 110 requirements, with variations for each impacted business. Level 3 addresses an additional 24 requirements.

  • Advocacy requests clear and concise guidance for small business contractors and subcontractors to create enclaves to lessen the burden of compliance.
  • Advocacy seeks clarity on the role of C3PAOs and the ability of C3PAOs to meet the demand for CMMC.
  • Advocacy asks the DoD to provide clarification regarding enforcement guidelines/mechanisms.
  • Advocacy highlights the need for the DoD to create rules that encourage and improve small business participation in contracting programs.

For more information, please contact Assistant Chief Counsel David Mullis at, or call (202) 830-2292.


Comment Letter – Cybersecurity Maturity Model Certification Program (PDF, 198 KB)