CMMC compliance

Do you work with the US Department of Defense, or do you plan to in the future? Then your organization needs to be CMMC certified. We can help you reach CMMC compliance.

What is CMMC?

Are you a contractor for the US Department of Defense (DoD)? Then you are required to meet certain cybersecurity requirements. The Cybersecurity Maturity Model Certification (CMMC), is the U.S. DoD’s certification scheme to ensure, and verify, that contractors have implemented adequate cybersecurity measures to protect sensitive information. The updated version, CMMC 2.0, is expected to be published as a final rule by the beginning of 2025.

Who does CMMC apply to?

The U.S. DoD developed this certification scheme to ensure that all its suppliers implement appropriate cybersecurity controls. The goal is to protect unclassified, but sensitive, information within their unclassified networks.

According to U.S. DoD estimates, over 200,000 suppliers in the U.S. alone are expected to meet CMMC requirements. Of those, the U.S. DoD estimates that roughly 40 percent, so around 80,000 companies, will need a CMMC Level 2 certification. European suppliers are also expected to be CMMC certified. The number of European companies affected by CMMC is probably between 500 and 850.

Quote by

Willem van Dijk

CMMC consultant


Regulation in the US may feel like something you don't need to bother with as a European manufacturer, but being CMMC compliant is going to be vital if you want to work with the US Department of Defense.

Which levels does CMMC have?

CMMC has three levels of certification. Which level you need to comply to depends on the types of information you, as a contractor, handle as part of your contract with the U.S. DoD.

Level 1: Foundational cyber hygiene. Every Defense contractor will have to meet at least Level 1. The controls of this level primarily look to protect information that is not intended for public release (i.e., FCI), and ensure that access is limited to authorized users. The controls are laid down in the Federal Acquisition Regulation (FAR).

Level 2: Advanced cyber hygiene. Defense contractors that handle sensitive information that requires safeguarding (i.e., CUI) will need to meet Level 2. This level requires a contractor to implement the security controls in NIST SP 800-171.

Level 3: Expert cyber hygiene. Level 3 focuses on more advanced cyber threats for companies handling CUI that is associated with a critical program or high value asset. This level supplements the Level 2 controls (800-171) with a subset of the controls in NIST SP 800-172.

Image in image block

When should we start preparing for CMMC?

Preparation for the CMMC 2.0 Level 2 assessment, which most companies will be expected to have, requires between 12-18 months. There is an anticipated 9-15 months wait time for companies to get assessed by certified assessment organizations or C3PAO's. This means it is wise to start preparing right now for CMMC compliance.

What happens if we don't comply with CMMC?

Failing to complete the CMMC certification process can result in not receiving assigned contracts, termination of your current contract, or hefty fines for non-compliance and damages. It can also prevent your company from securing additional U.S. government contracts.

Under the U.S. False Claims Act (FCA), companies can also risk liability by knowingly or recklessly misstating compliance. If you knowingly or unknowingly do not abide by all requirements (NIST SP 800-171), your company faces significant penalties.

How we can help you

Secura helps Defense and Safety organizations all over Europe raise their cyber resilience. We know the importance of compliance with law and regulations, like CMMC. Our CMMC consultants have a background in defense and extensive knowledge not only of the certification but of wider issues in your field. We can help you with the following CMMC services.



CMMC Boardroom Training

Why is CMMC important? Which consequences will this regulation have for your company? During this 2 hour training your management will gain sufficient insight into CMMC to take informed decisions on measures that might be needed. Save yourself weeks of study and research with this concise overview training.


CMMC Readiness Assessment

The main question this assessment answers is: which technical security controls, for instance regarding access management, do you already have and do you need to implement to reach CMMC compliance? Because CMMC requires specific documentation we also pay thorough attention to this.


CMMC Implementation Support

Based on the results of the CMMC Readiness Assessment, we can help you get ready for your CMMC assessment. We can help you with the implementation of necessary controls and setting up and maintaining documentation. We also offer a pre-certification self-assessment, which can be seen as a rehearsal for your actual audit.


CMMC Compliance brochure (ENG)

Read about our services in this brochure


Contact me

Do you want more information on how we can help you reach CMMC compliance? Please fill out the contact form and we will contact you within one business day.



Secura is a leading cybersecurity expert. Our customers range from government and defense to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.