Certified Consultants to Help Achieve CMMC Compliance.
5 Step Readiness Process for Fast Results.
NIST Compliant Policy Library for Quick Remediation of Risks.
Certified Assessors to Measure and Certify Compliance.
Nov 10, 2025 (Phase 1): Mandatory self-assessments for Level 1 (FCI) and some Level 2 (CUI) contracts.
Nov 10, 2026 (Phase 2): Third-party assessments (C3PAO) required for Level 2 (CUI).
What is CMMC?
The DoD introduced Cybersecurity Maturity Model Certification (CMMC) in 2020 to ensure companies protect sensitive information when working on government contracts. The program requires contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement adequate cybersecurity practices to protect the defense industrial base.
Prior to CMMC, DoD contractors were required to self-attest compliance with National Institute of Standards of Technology (NIST) Special Publication 800-171 – a set of cybersecurity requirements issued by NIST, a federal agency that sets technical standards to help improve innovation, security, and quality across industries.
CMMC originally introduced a more robust five-level security framework that employed third-party assessments to verify cybersecurity maturity. However, after industry and stakeholder feedback, the DoD simplified the model to three levels in November 2021, aligning it more closely with NIST SP 800-171 to ease compliance. The resulting CMMC 2.0 is more flexible, particularly for small and medium-sized businesses.
To begin your CMMC Compliance Journey with ThetaPoint CMMC experts, please contact us.
Certified CMMC Consulting Services
ThetaPoint’s Certified CMMC Consulting Services focus on helping your organization ensure it is prepared to address Cybersecurity Maturity Model Certification (CMMC) requirements through a proven 5-step readiness process.
Readiness Assessment: Using the same assessment methodology in our Certified CMMC Assessments, ThetaPoint will review and analyze Organization’s policies and standards currently in place against CMMC 2.0 assessment requirements.
Plan of Action and Milestones (POAM): Establish a Roadmap and Project Plan to address findings from Readiness Assessment to establish a Mature Cybersecurity Foundation.
Policy and SSP Development: Establish or Refine Organizational Policies, Standards, and System Security Plans (SSP) to address POAM findings leveraging ThetaPoint’s NIST Compliant Policy Library.
Controls Validation: Perform a NIST SP 800-171 based Controls Assessment to ensure Policies and Standards are implemented and adopted within the Organization.
CMMC Advisory: Provide ongoing CMMC Advisory Services for Cybersecurity Initiatives.
As a Registered Provider Organization (RPO), all CMMC Consulting Services are performed by Certified CMMC Professionals (CCP) or Registered Practitioners (RP) who possess advanced certifications as a Certified Information Systems Security Professionals (CISSP) or Certified Chief Information Security Officer (CCISO).
Certified CMMC Assessment Services
ThetaPoint’s Certified CMMC Assessment Services focus on clients who have completed all readiness tasks and are ready for Final CMMC Certification. ThetaPoint’s certification process is Accredited by The Cyber AB organization.
CMMC Assessment: Review and analyze cybersecurity policies and standards currently in place against CMMC 2.0.
Controls Validation: NIST SP 800-171 based Controls Assessment to ensure Policies and Standards are implemented and adopted within the Organization.
Plan of Action and Milestones (POAM): Establish Roadmap and Project Plan to address findings from Maturity Assessment to establish a Mature Cybersecurity Foundation.
Client Remediation: Clients are given 90-days to remediate all findings. Once findings are remediated, CMMC Certification is processed.
CMMC Certification: Upon mitigation of POAM, ThetaPoint’s CCA will issue the organization a CMMC Certificate of Compliance and submit the score to the SPRS.
As a Certified Third Party Assessor Organization (C3PAO)*, all Certified CMMC Assessment Services are performed by Certified CMMC Assessors (CCA) who possess advanced certifications as a Certified Information Systems Security Professionals (CISSP) or Certified Chief Information Security Officer (CCISO).
* Application in Process
To begin your CMMC Compliance Journey with ThetaPoint CMMC experts, please contact us.
Frequently Asked Questions (FAQ)
What are the Key CMMC Implementation Phases and Deadlines?
Key CMMC Implementation Phases & Deadlines
Nov 10, 2025 (Phase 1): Mandatory self-assessments for Level 1 (FCI) and some Level 2 (CUI) contracts.
Nov 10, 2026 (Phase 2): Third-party assessments (C3PAO) required for Level 2 (CUI).
Nov 10, 2027 (Phase 3): Requirement added to option periods and existing contracts.
Nov 10, 2028 (Phase 4): Full, universal implementation.
How frequently will assessments be required?
Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32CFR 170.3(e) for details on the Department’s timeline for phased implementation of CMMC requirements in applicable procurements.
How will my organization know what CMMC level is required for a contract?
Once CMMC is implemented contractually, the Department will specify the required CMMC level in the solicitation and the resulting contract.
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and CMMC?
NIST SP 800-171 is the federal safeguarding standard for controlled unclassified information (CUI) required by 32 CFR Part 2002, which the Department implemented contractually through inclusion of DFARS clause 252.204-7012 in applicable contracts. Beginning November 10, 2025, and following the phased implementation plan outlined in 32 CFR 170.3(e), applicable contractors will be required to undergo a Level 2 self-assessment or a CMMC third-party assessment to verify compliance with those NIST SP 800-171 Revision 2 requirements.
The CMMC model uses NIST SP 800-171, Revision 2. Will the Department update the program to use NIST SP 800-171, Revision 3?
Yes, the Department will incorporate Revision 3 with future rulemaking. In the interim, the Department has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the standard against which DIB companies will be assessed until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking. You can find more information on that deviation here: https://www.defense.gov/News/Releases/Release/Article/3763953/department-of-defense-issues-class-deviation-on-cybersecurity-standards-for-cov/.
Can Department contractors implement NIST SP 800-171 Revision 3?
Yes. Companies can implement Revision 3 but must use the Department’s Organization-Defined Parameters (ODPs) defined in the April 2025 memorandum, “Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” found here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf. Because CMMC Assessments will be conducted against Revision 2 until the class deviation memo (Q3 of this section) is withdrawn or otherwise superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.
What is the relationship between National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 and CMMC?
NIST SP 800-172 provides security requirements designed to address advanced persistent threats and forms the basis for CMMC Level 3 security requirements. Contractors must implement 24 requirements from NIST SP 800-172 in addition to the 110 requirements found in NIST SP 800-171 when the Department identifies CMMC Level 3 as a contract requirement.
How much will it cost to achieve CMMC compliance?
Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204-7012) are not considered part of the CMMC compliance cost. However, the cost of achieving CMMC compliance (i.e., self-assessment or certification) depends on various factors, including, but not limited to, the CMMC level required, the complexity of the defense industrial base (DIB) company’s unclassified network, the existing cybersecurity posture of the organization, and market forces of supply and demand.
What resources are available to assist companies in complying with Department cybersecurity requirements?
The DoW CIO DIB Cybersecurity Program has compiled a list of no-cost Cybersecurity-as-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts at https://dibnet.dod.mil under DoD DIB Cybersecurity-As-A Service (CSaaS) Services and Support.
The CMMC Accreditation Body, currently the Cyber AB, has a marketplace of certified CMMC assessors, professionals, and registered practitioner organizations that companies can engage now to prepare for CMMC implementation: https://cyberab.org/marketplace.
The Defense Acquisition University offers free online CMMC and cybersecurity training: https://www.dau.edu/cybersecurity/training.
The Defense Acquisition University also offers a drop-down for CMMC web events: https://www.dau.edu/cybersecurity/cyber-solutions (click the drop-down labeled “CMMC Resources from the DoD CIO”).
DoW’s Office of Small Business Programs has compiled a list of resources on their website that are aimed at helping small and medium-sized businesses understand security requirements and reach compliance: https://business.defense.gov/Resources/FAQs/.
What is the difference between FCI and CUI?
FCI and CUI are information that is ‘not intended for public release.’ However, CUI requires additional safeguarding and may also be subject to dissemination controls. FCI is defined in Federal Acquisition Regulation (FAR) clause 52.204-21, and CUI is defined in 32 CFR Part 2002. The Department’s CUI Quick Reference Guide at https://www.dodcui.mil/ includes additional information on the marking and handling of CUI. CMMC makes no changes to CUI definitions or safeguarding requirements.
To begin your CMMC Compliance Journey with ThetaPoint CMMC experts, please contact us.