Achieving CMMC Certification

Introduction to the CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a new certification rolled out by the US Department of Defense (DoD) to improve the protection of Controlled Unclassified Information (CUI). By 2025, the DoD plans to require CMMC certification for all contractors listed on DoD defense contracts.

Contractor certification is based on one of five levels of cybersecurity maturity. At Level 1, the CMMC defines practices that organizations must implement. Levels 2 and above include two areas of measurement: process and practices. Processes refer to the policies and plans that organizations must maintain to ensure compliance with the requirements of each CMMC domain. Practices are the security controls that contractors will need to implement to protect CUI and achieve CMMC certification.


Learn more about our custom-tailored security strategies. Download our CMMC brochure.


CMMC Readiness Support and Certification

MorganFranklin is approved as an RPO and is currently a C3PAO candidate, enabling it to offer CMMC Readiness Assessment and compliance support services.

Unlike NIST 800-171, which permitted self-certification, a contractor’s compliance with the CMMC must be evaluated and certified by a third-party auditor authorized by the CMMC Accreditation Body. This certification will demonstrate compliance with the requirements of one of the five CMMC levels.
The DoD defines two roles in the certification process:

  1. Registered Provider Organization (RPO) is certified to provide guidance to an organization working toward achieving CMMC compliance.
  2. Certified Third-Party Assessment Organization (C3PAO) is authorized to perform a CMMC audit and make the recommendation to issue a CMMC certificate.

An organization can engage with both an RPO and a C3PAO during its CMMC certification process, but an organization’s RPO cannot also act as their C3PAO.

Learn more about CMMC readiness preparation here.

The MorganFranklin Way™

MorganFranklin’s approach to cybersecurity strategy and GRC solutions allows our consultants to better protect your organization’s brand against threats of all kinds. We’ll tackle the broader issues associated with corporate governance, enterprise risk management, and corporate compliance with a simple, structured approach.

By aligning with your business objectives, you’ll reap benefits such as:

  • Improved decision-making
  • Optimal IT investments
  • Reduced fragmentation with the elimination of silos

You may have a thorough understanding of the need for a GRC strategy, but you may not have the team or resources to implement internally. MorganFranklin can connect you with one of our GRC experts to create a business-aligned strategy that improves your GRC and overarching cyber security decision-making abilities. From security strategy, planning, budgeting and delivery, our consultants have a strong background in IT leadership and organization design. Whether you need part-time, interim or fully outsourced help, MorganFranklin is your trusted source to define and implement an effective GRC strategy.


We are experienced, engaged professionals that are highly energetic and motivated to work in challenging, high stakes environments.