DoD CMMC (Certification)

The United States Department of Defense (DoD) is constantly under attack from external threats.  Our government has taken the next appropriate step in combating these challenging threats by requiring all DoD contractors and suppliers, regardless if you’re the acting prime contractor or a subcontractor, through a standardized certification process.  This certification is known as the DoD Cybersecurity Maturity Model Certification or DoD CMMC, created by the Office of Under-Secretary of Defense for Acquisition & Sustainment (OUSD-A&S).  This certification contains five separate levels with the highest level being the most secure environment.  Depending on the contractor and the specific classifications sought on a given contract, a specific level may be required.

DoD CMMC Levels

  • Level 1
    • Basic Cyber Hygiene (NIST SP 800-171 Revision 1 – 16 Controls)
  • Level 2
    • Intermediate Cyber Hygiene (NIST SP 800-171 Revision 1 – 46 Controls)
  • Level 3
    • Good Cyber Hygiene (NIST SP 800-171 Revision 1 – 47 Controls)
  • Level 4
    • Proactive (NIST SP 800-171 Draft Revision B – 26 Controls)
  • Level 5
    • Basic Cyber Hygiene (NIST SP 800-171 Draft Revision B – 4 Controls)

To read more about the DoD CMMC Certification Program follow this link (Click Here).

Pre-Certification Assessment

The pre-certification involves putting all necessary security measures in place to meet or exceed what the DoD CMMC will be requiring for each prime contractor and subcontractor.  hoytNIVA, working in conjunction with your team, will assess what areas in your environment need to be addressed in order to fulfill the requirements for different levels of the DoD CMMC.  Many prime contractors have began requiring their subcontractors and suppliers to meet a certain level of cyber-security already under the NIST framework and this will continue under the DoD CMMC.

hoytNIVA Pre-Certification Assessment Services & Process

  • Assessment
    • On-Site
      • hoytNIVA’s team of DoD CMMC Specialists arrive at your site(s) to review and audit your infrastructure.  Our team will work with your staff to ensure that you understand what’s required and what we are seeking in order to perform our work and in-turn, create an appropriate road map to security.
    • Off-Site
      • hoytNIVA’s team, working with your staff to ensure that our on-site portion has reviewed all the necessary areas, will construct the road map to security with a step-by-step process to perform these remedies.
  • Itemized Report with Road Map to Security & Certification
    • In line with each DoD CMMC requirement tied to specific levels, we will provide and step-by-step process to become certified.
    • Once the certification begins, we will work with your team to submit the results on your behalf.


Remediation refers to making changes your systems and infrastructure to meet or exceed the requirements in areas of deficiency.  This could be viewed as a challenging step towards certification and working alone, it certainly can be, although at hoytNIVA we perform these duties at a high standard to address areas of concern.  In addition to performing the work, we communicate with your staff each step of the way to ensure you’re as comfortable as possible with the changes that were made.

hoytNIVA Remediation Services

  • Security Framework Testing
    • Penetration Testing
    • Vulnerability Testing & Assessments
  • Cloud Implementation
  • On-Premises & Cloud-Based Development

DoD CMMC Certification

hoytNIVA will work with your organization to “certify” your cyber-security maturity to a certain level if you have in fact met or exceeded the requirements defined by the DoD.  As an approved third-party to perform this certification, we perform the work in an objective manner, translating to advising you on a go/no-go result in a given area or overall.

hoytNIVA DoD CMMC Services

  • hoytNIVA performs the DoD CMMC (Certification) as an Approved Third-Party
  • hoytNIVA will communicate with your team with any results, positive or negative, and what we view as the remedy
  • Once certified, we will package our findings in the standard DoD CMMC format and will work with your team to support the submittal of these findings, securely with DoD and/or the prime contractor if you’re a subcontractor

Post-Certification Review & Update

Once you have been “certified” under the DoD CMMC, you must stay certified throughout the period that you are servicing the DoD contracts.  Ensuring that your team is in fact meeting all the requirements you are subject to DoD audits, unannounced or scheduled, to review your infrastructure.  These audits may be performed by DoD or by/through the DoD prime contract holder.

hoytNIVA Post-Certification Services

  • hoytNIVA will review your certification throughout the year, typically on a quarterly-basis
  • hoytNIVA will connect and communicate with your prime contractor or the DoD directly on our findings

RFI/RFP Submittals

Key to the success of DoD contracting is a smooth procurement process.  The DoD CMMC was created to not only certify the results of a cyber-security audit, it was created to streamline the process of vetting those submitting in to RFI’s and RFP’s.

hoytNIVA RFI/RFP Submittal Service

  • hoytNIVA will submit your DoD CMMC for your organization, to include the secure submitted information in the DoD CMMC format along with secure connections to areas that your prime contractor and/or DoD will need to review in greater detail


I’m a prime contractor with a handful of subcontractors, do my subcontractors need to become certified?

  • Yes, every business needs to be certified, separately.  When the DoD references your RFI, RFP, solicitation submittal or contract (new contract, renewal, or extension), you as a prime and each subcontractor must have the certifications in place that meets of exceeds the requirement for the contract.

How often will I need to become re-certified?

  • Renewal of your certification will depend on the level of certification and/or the contracting agency.  The higher the level will most likely drive for a more frequent renewal (e.g. annually) versus the lower level.  The DoD/contracting agency will communicate the frequency required.

I have previously self-certified under NIST, does that fulfill the requirement for the CMMC?

  • No.  The DoD CMMC is an evolution and comprehensive step forward to protect everyone and is 100% performed by a third-party organization.  There is no longer a self-certification, self-assessment or questionnaire that fulfills any requirement for DoD.

I’ve been working with my team internally and our outside IT company, they said we’re ready…are we ready?

  • Maybe although we wouldn’t chance it when hoytNIVA can consult with your team and assist where required to ensure that you’re ready to go.  If we have not assisted and are simply the third-party performing the certification, we will be available with your internal and/or external IT professionals and other staff to address areas of concern.  Please keep in mind, the certification is an audit and not a time to fix things while the auditors are present.  You MUST be ready to become certified.  Non-certified DoD Contractors are fictional starting in 2020.  If you’re not certified, you and your entire team on the contract will NOT be allowed to perform.  The certification is a go/no-go.

What is the estimate cost and duration for get ready for certification and the certification itself?

  • Each organization is different.  Since getting ready for certification takes the longest period of time, this is a crucial period for your organization.  The certification itself is a lower expense and duration since the hard work (pre-certification as we refer to it) is hopefully in place.  The factors that adjust the pricing would be the level of certification sought (Level 1-5), the size of your organization, complexity of systems, number of locations, and many other factors.  We can construct a detailed quote for all of our services.

Is the certification performed on-site?

  • Yes, it has to be.  We need to see what’s in place to ensure that the certification is accurate at that given moment in time.  Word of caution, if a third-party certifying organization offers you a certification and do not schedule on-site performance, do NOT utilize their services.