Defend Your Contracts Now CMMC: DoD Compliance
DoD & DFARS Contracting Compliance - Cybersecurity Maturity Model Certification (CMMC)
In 2020, businesses nationwide experienced widespread disruptions—but cybersecurity in defense contracting could not afford to fall behind. The Department of Defense (DoD) reaffirmed its commitment to advancing the Cybersecurity Maturity Model Certification (CMMC) program, therefore, ensuring that compliance with DFARS, NIST 800-171, and proper handling of Controlled Unclassified Information (CUI) remained a top priority. As a result, the first draft of the CMMC framework was released on January 31, 2020, not only marking a major shift in DoD cybersecurity standards for contractors but for DoD researchers and consulting as well.Â
That said, staying aligned with CMMC and other federal cybersecurity requirements is now essential for maintaining contracting eligibility and protecting sensitive defense information. Consequently, organizations must demonstrate a strong cybersecurity posture to remain competitive and compliant within the Defense Industrial Base (DIB).
Latest Update:
On October 15, 2024, the federal government published the final version of the CMMC. You can view the official release here:
👉 Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program
If your organization needs expert guidance, our cybersecurity consulting team is here to help you navigate every phase of the CMMC process—from gap assessments to policy development and audit preparation.
What is on this page
What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification is a required third-party certification for businesses within the Defense Industrial Base (DIB). It measures your cybersecurity posture and determines your eligibility for defense contracting. The Department of Defense (DoD) has made it clear that strong cybersecurity is no longer optional—it’s now a key part of compliance, bid evaluations, and future contract awards.
Since 2016, Giga-Green Technologies has followed the NIST 800 series, and since 2020, we’ve partnered with DoD contractors to secure both physical and cloud-based systems to DFARS requirements and NIST 800-171 standards. Our expert consulting services ensure your organization stays ahead of the evolving CMMC and DFARS requirements.
The updated CMMC framework includes three certification levels, each offering increasing levels of cybersecurity protection. These levels are built around 14 core domains, drawn directly from NIST 800-171. Each domain has its own set of requirements, and a minimum level must be met to achieve CMMC certification. Once certified, the status is valid for three years before a reassessment is needed.
For more details, you can view the official ruling here:
Cybersecurity Maturity Model Certification Program Overview
Certification and Assessment Levels
CMMC Level 1 focuses on protecting Federal Contract Information (FCI). At this level, organizations must follow 15 basic cybersecurity practices. These are relatively straightforward and designed to help small businesses get started with cybersecurity.
CMMC Level 2 is the next step. It covers the protection of Controlled Unclassified Information (CUI). To meet this level, your organization needs to follow 110 practices based on the NIST 800-171 framework. This level is more detailed and requires stronger security controls.
CMMC Level 3 is the most advanced. It applies to contracts involving sensitive or critical national security information. In addition to the 110 practices from Level 2, it includes 24 extra controls from NIST 800-172, for a total of 134. This level is intended for companies working on high-priority defense programs.
How to prepare for a CMMC Certification or Assessment
As consultants, one of the first questions we hear from defense contractors is “Where do we start?” The answer begins with a proven process—one that follows the guidelines outlined in the NIST 800-Series.
Our consulting approach aligns with best practices recognized by the Department of Defense (DoD) and supports full compliance with CMMC, DFARS, and other federal cybersecurity requirements. Whether you’re preparing for Cybersecurity Maturity Model Certification or need help strengthening your security posture, our step-by-step consulting method ensures you’re on the right path.
Below is a high-level overview of the key steps, along with the corresponding NIST publications that guide each phase during consulting.
Why Giga-Green Technologies
Feeling overwhelmed? You’re not alone. Many of our clients initially say the same—it all seems like too much. That’s because CMMC compliance reaches beyond IT systems. It involves the entire organization, from leadership to front-line employees. Achieving Cybersecurity Maturity Model Certification takes more than technology—it requires full leadership support, clear policies, and active employee participation.
At Giga-Green, we help simplify the process. Your path to DoD cybersecurity compliance begins with a partner who understands the challenges of defense contracting, DFARS, and handling Controlled Unclassified Information (CUI).
We tailor our cybersecurity consulting solutions to meet your unique needs, ensuring your systems align with NIST 800-171 standards and all CMMC requirements. Whether you’re storing CUI, identifying Federal Contract Information (FCI), or defining your scope, we ensure your data is always controlled and stored within boundaries that meet compliance—owned and managed by your organization, not hosted in our facilities.
Our priority is keeping your compliance boundaries as lean and secure as possible. We don’t offer one-size-fits-all technology or shared-hosting options. Instead, we empower your team with the knowledge and tools needed to build a resilient, audit-ready environment.
Ready to dive deeper?
Explore the steps to identify FCI/CUI, define scope, assess your systems, and document your controls. Visit our full CMMC preparation guide here:
👉 The Process – Giga-Green Technologies Inc.
NIST 800-171/CMMC Assessment Domains
The assessment domains for NIST 800-171 and CMMC remain consistent and apply to all in-scope systems within your DoD cybersecurity environment. These 14 critical domains cover every aspect of organizational and technical compliance for defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI):
Level 1 Domains - Federal Contracting Information (FCI)
Access Controls (AC): Restricting user access to sensitive information systems
Identification & Authentication (IA): Verifying user identities and enforcing multifactor authentication
Media Protection (MP): Safely handling, transferring, and disposing of CUI and FCI data
Physical Protection (PE): Controlling physical access to facilities and resources
Systems and Communications Protection (SC): Defining secure system boundaries and monitoring network use
System and Information Integrity (SI): Ensuring system updates, detecting threats, and protecting communications
Level 2 Domains - Controlled Unclassified Information (CUI)
Includes extended requirements for Level 1 Domains and adds 8 more areas of compliance:
Audit & Accountability (AU): Tracking user actions for accountability and forensic analysis
Awareness and Training (AT): Educating your workforce on cybersecurity best practices
Configuration Management (CM): Properly configuring and managing system settings
Incident Response (IR): Preparing for cybersecurity incidents with breach response and business continuity plans
Maintenance (MA): Conducting routine maintenance and timely software updates
Personnel Security (PS): Vetting personnel and preventing insider threats to protect sensitive data
Risk Management (RM): Identifying risks and applying mitigation strategies
Security Assessment (CA): Continuously evaluating and improving your cybersecurity posture
These domains are foundational for meeting DoD contracting requirements under DFARS and achieving full Cybersecurity Maturity Model Certification. Our expert consulting services help you address each domain effectively to secure your organization’s data and stay audit-ready.
Cybersecurity Maturity Model Certification Self-Assessments
Not sure where to start your DoD cybersecurity journey? Try one of our Cybersecurity Maturity Model Certification self-assessments below to evaluate your current cybersecurity posture and identify areas for improvement.
After entering your email, you’ll be redirected to a secure Microsoft Form.
Please note, these self-assessments are informal tools designed to help you understand your readiness for CMMC compliance and DFARSÂ requirements. They are not official CMMC Self-Assessments for Level 1 or Level 2, but a practical first step in strengthening your defense contracting cybersecurity.
Level 1 Self-Assessment
Level 2 Self-Assessment
Talk to an Expert
Do you have questions or curious about the different solutions and services Giga Green provides?
Our Address:
Tucson/Phoenix, Arizona, USA Minneapolis/St. Paul, Minnesota, USA Fargo, North Dakota, USA
Our Mailbox:
info@giga-green.com
Our Phone:
(701) 630-7188
CMMC Resources
Cybersecurity Maturity Model Certification Program Final Rule Published > U.S. Department of Defense > Release – Notification of final ruling
DoD Mandatory Controlled Unclassified Information (CUI) Training – Free CUI training
Standard Form 901 (11-2018) cover sheet – CUI Coversheet
DoDI 1035.01, “Telework and Remote Work,” January 8, 2024 – DoD CUI telework policy
CMMC Resources & Documentation – CMMC Assessment and Scoping Guides