PJCINC

  • Home
  • About PJC
    • Why PJC
    • Our “A to Z” Approach
    • PJC Testimonials
    • PJC Clients
    • News & Events
    • Supplier Audits
    • Risk Management
    • Compliance Audit
  • Standards
    • ISO 9001
      • ISO 9000 Implementation
      • ISO 9000 Maintenance
    • AS9100
      • AS9100 Implementation
      • AS9100 Maintenance
    • TNI 2016
    • IATF 16949
      • IATF 16949 Implementation
      • IATF 16949 Maintenance
    • ISO 13485
      • Medical Device Single Audit Program
    • ISO/IEC 17025
      • Cannabis
    • ISO 14001
      • ISO 14000 Implementation
      • ISO 14000 Maintenance
    • ISO 27001
    • ISO 20000-1
    • CMMC
    • R2 – Responsible Recycling
    • RIOS
    • ISO 45001
    • HACCP
    • FSSC 22000
    • Risk Assessment
  • ISO Consulting
  • Training
    • Virtual Public Seminars
    • ISO 9001:2015 Overview Course (Online)
    • ISO 9001:2015
      Internal Auditor
    • ISO 14000
      Internal Auditor
    • IATF 16949
      Internal Auditor
    • AS9100
      Internal Auditor
    • Measurement Uncertainty
    • ISO/IEC 17025 Internal Auditor
    • ISO/IEC 17025 Overview
    • Root Cause
    • SPC
    • Core Tools
      • ISO/TS 16949:2002 Linkage to the
        Core Tools
  • Resources
    • PJC Blog
    • PJC Podcast
    • PJC Videos
    • Green Paper Library
    • Executive Overviews
    • ISO Consultation
    • Quality Manual Review
  • Contact PJC
    • Request A FREE Quote
    • Request A FREE Quick Quote
      • A to Z Implementation
      • Training
      • Internal Audits
      • Assistance/Consulting
    • Here To Answer Your Questions

Cybersecurity Maturity Model Certification (CMMC)

  • CMMC (V 2.0) – NIST SP 800-171 and NIST SP 800-172
  • Cybersecurity Maturity Model Certification (CMMC) 2.0 Update
  • Click For A FREE CMMC Overview

ATTENTION SUPPLIERS TO THE DoD:

In the near future Suppliers to the Department of Defense will be required to seek CMMC.


The CMMC is the accreditation body that certifies third party assessment organizations referred to as C3PAO’s. These organizations will facilitate the assessments.

This set of requirements has been developed to standardize and protect Federal Contract Information (FCI) as well as Controlled Classified Information (CCI) developed, maintained or supported by the Defense Industrial Database (DIB). It is anticipated that by RFP by the DoD will include a specific CMMC level as a pre-requisite to any new contract awards.

Effective January 2026, all new DoD contracts may contain the CMMC requirement.

The framework has three elements:

  • Tiered Model: CMMC requires that entrusted companies implement security standards at progressively advanced levels, depending on the type and sensitivity of the information. This also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoD to verify the implementation of cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, DoD contractors that handle sensitive information will be required to achieve a particular CMMC level as a condition of contract award.

There are three Levels of Security Practices. Each Level will include a specific number of Practices.

  1. CMMC Level 1 – Foundational: This is the considered Basic Safeguarding of Federal Contract Information or FCI. Level 1 focuses on basic cyber hygiene practices specified in 48-CFR 52.204.21. There are 17 practices from six domains at this level. Annual self-assessment is required.
  2. CMMC Level 2 – Advanced: This level requires an organization establish and document practices and policies. Level 2 focuses on the protection of Controlled Unclassified Information or CUI. There are 110 Practices included at this level, derived from NIST SP 800-171. DoD contractors that handle sensitive information will be required to have Triennial third-party assessments for critical national security information or Annual self-assessment for select programs.
  3. CMMC Level 3 – Expert: This level requires an organization establish and document practices and policies. This level includes all the Level 2 practices and additional controls selected from NIST SP 800-172. The framework and assessment criteria document are under preparation. This level requires Triennial government led assessments.

Perry Johnson Consulting has Information/Cyber Security Consultants to assist in in meeting the criteria and preparing an organization for certification.

Following are the suggested implementation steps:

  1. Select a reputable consultancy partner like PJC to guide your certification project
  2. Perform gap assessment against the intended security level
  3. Awareness training of CMMC
  4. IT asset inventory and classification of assets
  5. Define the asset category in the Asset list and the network diagram
  6. Prepare documentation (Policies, Procedures, WI, Plans, etc.)
  7. Perform risk assessment/evaluation/risk treatment
  8. Selection of practices for identified risks
  9. Prepare a system security plan and define asset category
  10. Implementation of all controls to the intended level of certification
  11. Implement measurements and monitoring
  12. Analysis and evaluation of monitoring and measurement results
  13. Train internal auditors
  14. Perform internal audits and capture levels of practices
  15. Report levels to top management and review for changes
  16. Selection of third-party assessment organizations approved by CMMC AB (Accreditation Body)
  17. Pre-assessment
  18. Corrective action
  19. Assessment by the selected third-party assessment organization
  20. Corrective action for the identified deficiencies, if any
  21. Certification

Allowance of POAM’s and Waivers

Contracting officers can use normal contractual remedies to address a DIB’s contractor’s failure to meet their cybersecurity requirements after a defined timeline.

POAM’s may be allowed for certain non-critical controls.

Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk.

PJC will post updates as they are received.

For more information on CMMC or other Information Security Standards such the ISO 27000 series, contact PJC.

Request A FREE Quote - PJC

Request A FREE Quote - PJC

Receive News & Updates From PJC



PJC Implementation Process

Training



MORE INFO / REGISTER NOW!


PJC Blog

  • What Is AS9100 and Why Does It Matter for Your Business?
  • Why ISO Gaps Are Costing You Clients—And How to Fix Them Fast?
  • 6 Reasons IATF 16949 Training Should Be Your Next Skill Upgrade

News & Updates

  • First Step in Preparing for ISO Certification: GAP Assessment

Testimonials

Our consultant, Jim Johnson, was extremely helpful not only during the implementation process but afterwards. Kudos to Jim and the staff of PJC!
Ken SeloverQuality ManagerStructural Diagnostics, Inc.
Mahindra Automotive North America (MANA) Manufacturing challenged Perry Johnson Consulting (PJC) to help implement ISO 9001:2015 while ramping up production for our ROXOR off-road vehicle. MANAM was focused on a streamlined, high-level approach to build quality into our manufacturing processes and develop the Quality Management System. PJC was a true partner! Our consultant, Nancy, embraced our approach and kept us focused on key ISO deliverables. She guided us to a successful ISO implementation… Read more
Denise VallisProject ManagerMahindra Automotive North America
From quoting to certification, everyone at Perry Johnson Consulting has been professional and a valued partner. Their auditors demonstrate a vast knowledge of quality standards and are able to translate them to real world application.
Matt NorbergQuality Control ManagerNational Products Inc.
Steve was a wonderful auditor. He was very professional and thorough. He took time to answer my questions about different parts of the standard. I would recommend him to other companies needing an internal audit.
Kelli BradburyPrecision Die Technologies
Hiring Perry Johnson to help us get certified to ISO 9001:2015 was the right move on our part. They did an excellent job on our documentation. Perry Johnson also answered a lot of questions for me going up to the audits which helped greatly. WE passed the audit in June. Thank you for your help, it was money well spent. I will refer you to anyone I talk to about this.
Tony BriaQuality ManagerHydra-Matic/Fabrics For Industry
PJC did consulting for us for our ISO 9002:2015 system and we found them to be professional and listened to our needs. They created a system that was easy to implement and use on a daily basis.
Kraig ReichwaldVP of ManufacturingCustom Metal Products
Wayne’s expertise in ISO 9001:2015 was essential in Vonco Products attaining our ISO certification. His knowledge was a great help improving our system by eliminating waste while assisting in developing our QMS.
Mike DeleoQuality ManagerVonco Products
Michael was instrumental in helping us make this transition much less stressful than I thought it would be. His attention to detail and expertise prepared us for our recertification audit. His professional demeanor made him a pleasure to work with.
Tyler HawkOperations ManagerCross Technologies Group, Inc.
We have been using Perry Johnson Consulting for 5 years and have never had a bad experience. With their expertise and knowledge of the ISO programs they have guided and helped us achieve an outstanding QMS. Thank you to all the friendly and professional people at PJC and we hope to have a long lasting relationship.
Larry ReimersQuality ManagerCTG, Inc.
Thought I’d drop a line to you and the staff to say thank you all very much for your dedicated hard work. You helped save our company, and I’m sending you all a heartfelt thanks!
Kevin J. CoffeyPresidentAlert Tubing Fabricators Inc.

RECEIVE NEWS & UPDATES FROM PJC

Subscribe to our mailing list:


Government "We are proud to provide services to the U.S. Government!"

PJC Celebrates 30 Years!

PJC's 30th Anniversary
Teresa O'Donnell – President & CEO
Teresa O'Donnell
President & CEO

Perry Johnson Consulting, Inc.

200 East Big Beaver Rd.
Troy, Michigan 48083
Phone: 1-888-248-0256 or (248) 519-2602
Email: [email protected]

PJC Contact Us

  • Facebook
  • Instagram
  • LinkedIn
  • YouTube

Copyright © 2025 PERRY JOHNSON CONSULTING, INC. (PJC) • All rights reserved.