• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Technical Support: [email protected] +1-703-288-7230
  • Sales Support: +1 (703) 448-0660
  • Calculate Savings
Nortec logo

Nortec Communications

IT Services & Solutions

  • Cloud
    • Cloud Consulting Services
    • Managed Data Backup
    • Data Center Services
    • Hybrid Cloud Computing
    • Cloud Pricing Calculator
  • Services
    • Managed IT Services
      • IT Consulting
      • IT Helpdesk
      • IT Outsourcing
      • IT Support
      • IT Network Support
    • Cybersecurity Services
      • Cybersecurity Awareness Training
      • Identity Management
      • Managed EDR
      • MDM Solutions
    • Phone Systems
      • Cloud Phones
      • Mitel Support
      • On-premise Mitel
      • VoIP Phone
    • Microsoft Solutions
      • Microsoft 365
      • Microsoft Licensing
      • Microsoft Teams
      • Microsoft Windows 10
      • Tampa
      • Azure Partner
      • Copilot
    • Network Architecture
  • Resources
    • Blog
    • Case Studies
    • News
    • Checklists
    • Videos
    • Cybersecurity Tips
    • E-Books
  • About Nortec
    • Locations
      • Washington
      • New York
      • Philadelphia
      • Pittsburgh
      • Tampa
      • Alexandria
      • Arlington
      • Bethesda
      • Falls Church
      • Frederick
      • Gaithersburg
      • Reston
      • Rockville
      • Silver Spring
    • Our Methodology
    • Core Values
    • Leadership
    • Nortec Partners
      • Jenne Partnership
  • Contact
  • Book A Consultation
  • Request Pricing

Primary Sidebar

Subscribe to our blog

Recent Posts

  • The Differences Between Helpdesk and IT Support
  • How to Successfully Implement Microsoft Copilot in Your Business
  • The Benefits of Remote IT Support: Why Your Business Can’t Afford to Ignore It
  • Understanding IT Support Cost for Small Business: Breaking Down the True Expenses
  • Main Benefits of Implementing Managed IT Services

Search

Subscribe to our blog

Cybersecurity Consultant Wants You to Know About CMMC

cybersecurity consultants

Our cybersecurity consultants are working closely with Department of Defense contractors to bring them into compliance with Cybersecurity Maturity Model Certification (CMMC). We understand how important it is to successfully navigate this set of regulations so you can bid on contracts. To help, we asked our CMMC-registered practitioner, Greg Smith, to put together an overview covering everything contractors need to know about CMMC. Let’s dive in, starting with a quick FAQ.

10 CMMC Questions Answered by a Cybersecurity Consultant

1. What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) creates a standard baseline of cybersecurity for all contractors, subcontractors and entities working with the Department of Defense (DoD). Following CMMC requirements secures the sensitive data contractors and subcontractors handle as they work with the DoD.

2. Why did the Department of Defense introduce CMMC?

Breaches of sensitive defense information held by contractors prompted the DoD to create CMMC.

3. Who needs to comply?

Eventually, every contractor working with the DoD will need to be CMMC certified.

4. Can I self-certify?

No. Unlike NIST, you cannot self-certify. CMMC compliance is proven by a certification from a third-party assessment organization (3PAO).

5. What happens to contractors who don’t comply?

Noncompliant contractors won’t be able to bid on Department of Defense contracts.

6. Will this change my cybersecurity services?

You’ll need to talk to a cybersecurity consultant about your specific situation, but you will probably need to add IT security services to bring your organization into compliance. When possible, look for solutions that knock out multiple requirements at once, like endpoint security threat protection.

Are your systems ready for an attack?

Assess Your Security

7. How will CMMC affect my employees?

Your IT team could have to change processes and procedures. Outside of the tech team, most changes will not have a direct impact on employees. There are a few minor exceptions, like multifactor authentication. Your team will also need to set aside time for cybersecurity awareness and anti-phishing training.

Bring up your concerns in a security consultation. Your cybersecurity consultant will help you find ways to minimize any impact without sacrificing security or compliance.

8. When is the deadline for meeting CMMC compliance?

CMMC has a phased rollout. Proof of compliance is already required for some contractors. By September 30, 2025, all organizations working directly or indirectly with the DOD must prove they’ve passed the third-party audit.

9. What do I need to do to demonstrate compliance?

There are 5 levels of compliance and each tier builds off the one below it. Most contractors won’t need to reach level 5, but everyone will need to fulfill level 1 requirements. To do this, you need to demonstrate your ability to meet 17 best practices based on National Institute of Standards and Technology (NIST) guidelines (see below for more information).

10. I’m not a DoD contractor, should I align my IT security services with CMMC?

Yes! The level 1 guidelines are useful for any company that wants to follow basic cyber hygiene best practices. You can also use the level 1 guidelines as a guide for what your cybersecurity services provider should be doing for you, at a minimum.

17 Capabilities Every Contractor Has to Demonstrate for Level 1 Compliance

Level 1 is the foundation of CMMC. It’s also beneficial for any organization looking to establish good cyber hygiene.

The 17 domains and how to comply

Below are the 17 domains, as named by NIST, and a brief overview of what it takes to comply.

1. Access Control

Know who accesses your systems and what they can access based on their role.

2. Asset Management

Create and maintain an inventory of company devices. This includes endpoint security.

3. Audit and Accountability

Track all users with access to Controlled Unclassified Information (CUI). Activity is logged and regularly audited.

How an endpoint security solution simplified device tracking, access management and activity logging for Advicare

Read the Case Study

4. Awareness and Training

Employees regularly receive security awareness training.

5. Configuration Management

Baseline network safety protocols are defined and applied across your systems and devices.

6. Identification and Authentication

Role and identity-based controls limit access to information and authenticate who is on your network.

7. Incident Response

An incident response plan is in place that detects and reports events. You’re prepared to respond to incidents. Reviews are conducted after each incident to measure the effectiveness of your preparations.

8. Maintenance

Maintenance best practices, like patching, are followed to ensure your system remains operational.

9. Media Protection

All media is identified and marked. Sanitation and transportation protection protocols are in place.

10. Personnel Security

Employees undergo background checks and proper screening. When people leave or are transferred, steps are taken to protect CUI.

11. Physical Protection

Assets are protected through proper physical security controls, like restricting access to your server room, protect your assets. Find a firm that does security consultations to determine if you need additional safeguards.

12. Recovery

Backups are maintained and logged so you can recover data lost due to a cyberattack, natural disaster or any other out-causing event.

13. Risk Management

Periodically conduct security assessments and vulnerability scans to evaluate your risk. Don’t forget to consider risks posed by your vendors and partners, too.

14. Security Assessment

The functions, features, hardware and software of your systems are detailed in a security system plan (SSP).

15. Situational Awareness

A threat monitoring system is in place that rapidly identifies threats to your system and alerts your IT team about any incident.

16. System and Communications Protections

Tools and processes are in place to secure every communication system your company uses. This includes Voice over Internet Protocol (VoIP) and cloud phone systems.

17. System and Information Integrity

Antivirus software is installed and up to date. Additional detection and monitoring tools continually scan your systems. Alerts for flaws and threats are generated and reviewed by cybersecurity consultants.

The 17 domains only cover level 1 requirements. There are 4 other levels you should be aware of and may need to comply with.

Breaking Down the 5 Levels of CMMC

The level you need to meet will depend on the classification of data you work with. For instance, level 1 will not suffice for contractors creating or handling Controlled Unclassified Information (CUI). They will need level 3 or higher. Here’s a breakdown of what each level involves.

Level 1: Cover the cybersecurity basics

The goal of level 1 is to protect Federal Contract Information (FCI). It introduces the 17 domains and corresponding best practices every contractor will need to follow. All 17 are based on the NIST framework outlined above.

Level 2: Introduction of Controlled Unclassified Information (CUI) requirements

55 practices are added at level 2. You begin to create an environment capable of safeguarding Controlled Unclassified Information (CUI). Cybersecurity policies, standard operating procedures and strategic plans are documented.

Level 3: Safeguard CUI

You document, implement and maintain a plan that shows you have good cyber hygiene policies that fully protect CUI. Compliance with 58 additional policies is required.

Level 4: Detect and respond to Advanced Persistent Threats (APT)

The focus shifts to making sure you effectively protect CUI against Advanced Persistent Threats (APTs). You implement processes to review and measure your ability to detect and respond to APTs. 26 practices are introduced, including advanced NIST security practices.

Level 5: Progressive cybersecurity

Sophisticated tools and procedures are in place to assess and repel advanced threats. Across the organization, processes are standardized and optimized to create a mature, highly cybersecure environment. 15 practices are added.

While many DOD contractors will not need to reach level 4 or 5, your level will depend on the nature of the contracts and the specific division you are aiming to work with. We recommend working with a CMMC practitioner like Nortec to fully understand the cybersecurity maturity level you require to achieve your contract objectives.

How to Achieve CMMC Certification

Every level of CMMC shares the same starting point for certification: an assessment. You want to find any gaps in your organization before trying to pass your audit. This will catch gaps that could cause you to fail an audit and give you an actionable to-do list based on which level you need to reach.

Work with experienced cybersecurity professionals who have particular knowledge of CMMC requirements. At Nortec, we have a CMMC-registered practitioner who will serve as your cybersecurity consultant and work closely with you to assess your systems and determine what steps you need to take to pass your audit.

Schedule your CMMC assessment now: Book a Consultation

Related Articles

  • Businessman thinking surrounded by question marks 15337499
    Nortec Expert Guidance: Microsoft 365 Licensing FAQs 
  • cybersecurity services, IT security solutions
    Cybersecurity Services – A Line of Defense Against Phishing
  • Cloud computing technology
    5 Key Benefits of Managed IT Support from Nortec
  • Cybersecurity Services
    How Cybersecurity Services Can Safeguard Your Success

Get a quote for our services sent into your inbox

Nortec

Serving the Atlantic Region from FL to PA

Locations

Washington, D.C.

7531 Leesburg Pike, Suite 300,
Falls Church, VA 22043
+1 (771) 223-9205

Pittsburgh

102 Broadway Street, Suite #410, Carnegie, PA 15106
+1 (412) 960-8664

Business We’ve Worked With

  • Clients We’ve Migrated to the Cloud
  • Clients We’ve Improved Infrastructure
  • Clients We’ve Protected
  • Clients We’ve Migrated Communications

Follow us:

Popular Posts

  • The Differences Between Helpdesk and IT Support
  • How to Successfully Implement Microsoft Copilot in Your Business

Need Support?

Tech SupportSales Support

Copyright © 2025 Nortec Communications, Inc. All Rights Reserved.| XML Sitemap | HTML Sitemap | Privacy Policy

[gravityform id=”14″ title=”false” ajax=”true” ]