Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification, or CMMC, is a standard for implementation of cybersecurity designed to provide increased assurance to the Department of Defense (DoD) that a Defense Industrial Base (DIB) contractor can adequately protect Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain

CMMC Level 1: Self-Attest vs. requiring 3rd party certification

CMMC Level 2: Expected to require C3PAO certification (awaiting final rules making process)

CMMC Level 3: if/when it comes out it is anticipated that will require C3PAOs to conduct the Level 2 and DIBCAC to conduct the Level 3 – await the DoD and CMMC-AB directives

Beschreibung Standard/Regelwerk

What is CMMC?

Cybersecurity Maturity Model Certification, or CMMC, is a standard for implementing cybersecurity across the defense industrial base. 


Who is CMMC for?

CMMC was created for the Defense Industrial Base (DIB) contractors to protect CUI. 


What are the levels of CMMC?

The CMMC has three levels and aligns a set of process and practices with the type and sensitivity of information to be protected and the associated range of threats.

  • CMMC Level 1, Fundamental: 17 Practices and has annual self-assessment
  • CMMC Level 2, Advanced: 110 practices aligned with NIST SP 800-171 and has triennial third-party assessments for critical national security information and annual self-assessments for select programs
  • CMMC Level 3, Expert: 110+ practices based on NIST SP 800-172 and has triennial government-led assessments

How does CMMC certification work?

Once your management system is established, you can start the process of getting it certified with DQS. We will work with you to discuss goals of CMMC certification and get you a detailed quote tailored to the needs of your company. 

Project planning begins with the schedule mutually agreed upon dates for your initial assessment(s) and coordinating multiple sites if applicable. An optional gap assessment can also be scheduled to help you identify the strengths and points of improvement in your management system in advance. 

The certification process itself begins with review and evaluation of system documentation, goals, results of management review and internal audits. The Stage 2 Audit occurs after the successful Stage 1 Audit. The assigned audit team will assess the client’s management system at the place of production or service delivery. Applying defined management system standards and specifications, the audit team will evaluate the effectiveness of all functional areas as well as all management system processes, based upon observations, interviews, review of pertinent documents and records, and other assessment techniques.

The independent certification function of DQS Inc. will evaluate the audit process and its results, and make an independent certification decision about issuance of the certificate. The client receives an assessment report, documenting the assessment results. When all applicable requirements are fulfilled the client also receives the certificate.


What does CMMC certification cost?

The cost of certification to CMMC is dependent upon many factors, such as size and complexity of your organization. Therefore, each quote is customized based on the information of the company applying for certification. 


Why certify to CMMC with DQS?

In preparation for the CMMC certification rollout, DQS created DQS Cyber Security Inc. (DQS CSI), a wholly-owned subsidiary of DQS Inc., to provide 3rd party management system assessments and cyber security certifications focused on the CMMC market. DQS CSI has applied for C3PAO as a Certification Body Provider and is currently able to provide Gap Assessments for companies preparing for CMMC certification.


Request for quote

Your local contact

We would be happy to provide you with an individual quote to CMMC.