NIST Cybersecurity Framework: What You Need to Know to Achieve CMMC Compliance

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) framework is the DoD’s new process for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This information resides inside the operating environment of contractors and subcontractors. CMMC requires contractors to establish and mature their cybersecurity posture with 17 controls for Maturity Level (ML) 1, and 110 controls for ML2. These controls are derived directly from the previous NIST cybersecurity framework, NIST 800-171. ML3 will require all 110 controls from NIST 800-171 and additional controls. The Cyber – Accreditation Body (AB), however, is still in the process of determining what these controls will be.

Who will need to be certified?

Any organization that handles FCI or CUI will need to be certified in the appropriate CMMC maturity level. All contracts that include FCI will require at least CMMC ML1. All contracts that include CUI will require at least CMMC ML2. These requirements fall on both prime contractors and subcontractors.

There is currently a voluntary assessment period expected to commence in the fall of 2022. The DoD will be adding CMMC requirements onto some of the new contracts released in this voluntary assessment period of 3 years. Only the organizations that are certified will be eligible for these contracts.

What is FCI/CUI?

FAR 52.204-21 defines FCI as “information not intended for public release, provided by or generated for the government, under a contract, to develop or deliver a product or service to the government.” This can be any information that includes specifications about a product or service being provided to the government, such as purchase orders or product requirements.

CUI is any sensitive information that has been marked with the appropriate CUI markings by the government. CUI can fall in any of these 20 categories:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • North Atlantic Treaty Organization (NATO)
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax
  • Transportation information

How do I become CMMC certified?

As of July 2022, The Cyber-AB has not yet started processing CMMC assessments. These assessments are planned to start within the next 9-24 months. Once an organization has decided the appropriate CMMC maturity level certification to pursue, they can work toward NIST cybersecurity framework compliance.

Once an organization believes they meet the requirements for CMMC compliance, their environment will be assessed. CMMC ML1 is a self-assessment, and ML2 requires an assessment from a CMMC Third- Party Assessment Organization (C3PAO). When an organization has passed the assessment, it will be awarded a CMMC certificate by The Cyber-AB.

Although not required, it is recommended to first seek out a gap analysis from a CMMC Registered Provider Organization (RPO) or C3PAO before being assessed by a C3PAO for the CMMC certification. By hiring an RPO or C3PAO to perform a gap analysis (and/or remediation), you can assess your environment against the NIST cybersecurity framework before the real assessment. This up-front investment helps organizations avoid the cost of failing and reassessing.

*Note: The Department of Defense is not currently accepting Plans of Action and Milestones (POA&M) for practices that are not met. This means all the required NIST practices must be implemented and maintained before receiving a CMMC Certification.

What are the Domains for CMMC?

There are currently 14 domains in CMMC ML2, which were taken directly from the previous NIST cybersecurity framework NIST 800-171. These domains are:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protections (SC)
  • System and Information Integrity (SI)

These 14 domains hold all 110 practices that are required to be CMMC ML2 certified.

What is the risk of not achieving CMMC compliance?

All government contracts that contain FCI or CUI will require CMMC compliance by 2025. While an organization can still bid on contracts without a CMMC certification, they must hold one at the time of contract award, or they will not be eligible for the contract. Because of the low amount of C3PAO’s currently in the CMMC ecosystem, it is strongly suggested to start the CMMC process before bidding on contracts that require it. There is no guarantee that an organization will be able to hire an assessor before the contract is awarded.

How do I stay up to date with the latest information on CMMC?

The Cyber-AB is the accredited body that maintains the CMMC ecosystem. They host monthly town hall meetings that can be found here- June 2022 Town Hall – CyberAB. The Cyber-AB is also constantly posting news and updates on CMMC here- CMMC In The News | CMMC-AB (

How can Alluvionic help with mapping the NIST 800-171 framework and earning the CMMC Certification?

As a CMMC RPO, Alluvionic can conduct a gap analysis, and ensure the FCI/CUI environment is properly scoped to provide the right level of support at any time. After shining a light on an organization’s gaps, Alluvionic’s experts can lead the remediation effort. This service minimizes business disruption and accelerates CMMC compliance.

CMMC is Coming. Are You Ready?


Learn more about what you need to know to achieve CMMC compliance by downloading our whitepaper.

About Alluvionic

Founded in 2013, Alluvionic provides Project Assurance® through project management, process improvement, product development, and cybersecurity solutions with locations in Melbourne, FL, Washington D.C., and Charleston, SC (coming soon). Alluvionic holds several certifications including SBA 8(a) certified, ISO 9001:2015 certified, Cyber-AB Registered Provider Organization (RPO), CMMI® Institute Partner, DCAA Compliant Accounting System, PMI Authorized Training Partner, GSA Contract Holder, GSA 8(a) STARS III Contract Holder and more. In 2021, Alluvionic was awarded the recognition of Orlando Business Journals’ “Best Places to Work”. Learn more about Alluvionic at

Acronyms and Definitions

The Cyber-AB: The accreditation body that was designated by the DoD to run the CMMC environment. CMMC: Cybersecurity Maturity Model Certification

ML: Maturity level

CUI: Controlled Unclassified Information

FCI: Federal Contract Information

C3PAO: CMMC Third-Party Assessor Organization RPO: Registered Provider Organization

RP: Registered Practitioner

POA&M: Plan of Action and Milestones

Articles & News

Contact Us

Fill out the form below to access our CMMC Whitepapers


Fill out the form below to access our checklist that will ensure your project's success!