Stonegate Compliance

CMMC, plainly

If you've been told you need "CMMC" to keep a defense contract and you're not sure what that means, here's the short version, without the jargon.

What it is

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's way of verifying that the companies in its supply chain protect the government information they handle. To win or keep a contract that involves that information, you have to demonstrate you meet the required level of cybersecurity. The DoD lays out the full program on its official CMMC page (opens in a new tab).

The three levels

There are exactly three levels. (An older five-level model was retired in 2021, and the higher levels are gone.)

The deadline

The DoD is phasing CMMC requirements into contracts, with third-party Level 2 assessments beginning to appear in awards from November 10, 2026. The requirement arrives on contract timelines, not yours, which is why starting early matters.

What it means for your business

Most of the work is documentation: describing, in standardized language, how you already handle security basics, and writing a clear plan for anything you don't yet. That's exactly what we do for you. We assess each requirement against your environment and produce your SSP, POA&M, and policies, with remediation steps for every gap. A CMMC expert checks every requirement.

Common questions

Do you certify or assess my company?

No. We prepare your documentation and help you get ready. Certification for Level 2 is done only by an independent assessor, and the rules keep those roles separate.

Which level do I need?

It depends on the information your contracts involve: FCI points to Level 1, CUI points to Level 2. We'll help you figure that out on a call.

Can you guarantee I'll pass?

No. Passing depends on your actual environment and, for Level 2, an independent assessor. We make your documentation accurate, complete, and ready.

Book a call