(Cybersecurity Maturity Model Certification)

CMMC 2.0 Compliance for Contractors & Subcontractors

Five 9s Consulting contracts several Register Proctionars (RP) that have been certified by the CMMC Accreditation Body (CMMC-AB).

With the complexities around Cybersecurity Maturity Model Certification 2.0 (CMMC), DFARS, and the Interim Rule, Five 9s Consulting can serve as your CMMC advisor to assist your company in its CMMC journey.

The CMMC 2.0

The DoD announced in late 2021 that CMMC version 1.0 is now updated to CMMC 2.0.  The update to CMMC 2.0 been simplified the requirements to three levels of certification from its previous five levels.

  • Level 1 “Foundational’’ remains unchanged
  • Level 2 “Advanced” has been simplified to align with the 110 practices of NIST 800-171A
  • Level 3 ‘’Expert’’ with additional specifics on the number of practices yet to be defined by the DoD

CMMC Timeline

  • January 2020 CMMC 1.0 Released
  • November 2020 DFARS Rule Change…Interim Final Rule Effective
  • November 2021 CMMC 2.0 Announced
  • September 2022 Earliest CMMC 2.0 Becomes Law
  • December 2023 Latest CMMC 2.0 Becomes Law

Between September 2022 & December 2023, all DoD contractors will need to meet CMMC requirements

Steps you need to take now to meet the CMMC requirements

  1. Training – The first step to any successful implementation is to train your team member on what to expect. Training should be your first agenda item.  You will save your company a lot of time and money in implementing the CMMC if you do this simple step first.
  2. Retain an experienced Consulting firm that has been working with the CMMC-AB on its certifications. One that has experience with the CMMC since its beginning, and above all, one that will be by your side for the long term.  The CMMC is not a quick assessment and will be reassessed every three years.  Above all, we know the DoD will change the CMMC requirements.  A good Consulting firm can keep you up to date on all the changes so you don’t lose your assessment, i.e., lose business.   
  3. Do not procrastinate – Five 9s has been helping clients get ready for their assessment since 2019, and we have found it will take a company about 9 to 12 months to prepare for the assessment.  The time to start is now.  This is not a sales pitch this is sound advice from the CMMC trenches.    

We can help you prepare for the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) Assessment.

“Our CMMC Journey”

In 2019 we were asked to present at the Missouri Congresswoman Vicky Hartzler Procurement Conference in a breakout session on Cybersecurity and discuss at the time the new Cybersecurity Maturity Model Certification (CMMC). We accepted and presented to the attendees that included members of the Military and Defense Industry. Since that time, we have put on a CMMC workshop and now several Zoom meetings on the subject. We are also helping new clients in the Defense Industry get ready for their Assessment and now the System Security Plan Scoring (SSP).


“I was very impressed with the seminar and how engaged it seemed the attendees were to the information you were presenting. You did a great job of turning something that can be EXTREMELY DRY and managed to keep things lively.

We would be happy to attend other seminars in the future.”

Sean Canevaro, CEO KISC www.kiscc.com

“It was a pleasure speaking with you as well.  Thank you for the information regarding the CMMC, and how it does or does not apply to our company.  I kept reading blizzard of information being issued by the DOD, NIST, and the Federal Registers but did not pick up on the details regarding the off-the-shelf items.  So I really appreciate your taking the time out of your schedule for a non-paying call.  It was truly appreciated.  I have the information saved on the computer regarding the CMMC requirements.  Should we have to do something, we will definitely get in touch with you or send you others who may have been just as confused as I was.” 

Deborah J. Brandt., Brandt Instruments, Inc. www.brandtinst.com

CMMC - Consulting Services:

  1. SSP (System Security Plan and Scoring) DOD requires an SSP with scoring to be on file during this transition time to CMMC requirements.
    1. We will introduce the System Security Plan with scoring
    2. We will engage with your I.T. department and start filling out the plan.
    3. Once we have completed the System Security Plan (SSP), you should be able to identify the gaps in your CMMC and NIST 800-171 requirements you need to address.
    4. POA&M (Plan of Action and Milestones)
      1. Using the identified gaps from the SSP, make a plan with timelines on how and when you will have all gaps completed.
      2. This is your POA&M (Plan of Action and Milestones)
      3. Once the SSP, POA&M, and Score are completed, the assessment results will be stored in the DISA system (SPRS) https://www.sprs.csd.disa.mil.
  2. CMMC Consulting: We will walk you through the process of getting your company ready for a CMMC assessment. Notice I said the company, not the I.T. department.  The CMMC will affect more than just your I.T. Department.
    1. Assist in understanding the rollout of the CMMC over the next few years
    2. Kick-off training for your company, so the project gets off to a great start
    3. We will walk your COMPANY through CMMC policies and practices.
  3. Pre Assessment Readiness Review – The lead assessor at the beginning of the negotiations will ask your company to produce two forms of Objective Evidence needed to demonstrate sufficient adoption of necessary Practices and Processes for the CMMC level your company is seeking along with what is in scope and what is not in scope etc.
    1. Assist in collecting the two forms of Objective evidence for each practice and procedure
    2. Assist with obtaining C3PAO for the assessment
    3. Assist with identifying Assessment scope
  4. Awareness &Training  (DOMAIN): We believe the first item on any project list is informing the team members on what the company is doing and how the team members fit into the project. To that end, we built a program that will train the employees on the CMMC project and work on satisfying the CMMC Awareness & Training domain.  Yes, a two for one.
    1. Please go to the Five 9s Consulting Awareness and Training web page. https://www.five9sconsulting.com/cmmc-awareness-and-training-at/

If you have any question, please contact us at:




Online Calendar

CMMC.GOV links and updates:

We can Assist your company with CMMC.