top of page



What is the CMMC?

CMMC stands for Cybersecurity Maturity Model Certification and is the latest security framework mandated by the Department of Defense [DoD] for any contractor that sells into the DoD. Due to unacceptable risks to CONTROLLED UNCLASSIFIED INFORMATION [CUI] and Federal Contract Information [FCI] stored on contractor systems, the DoD has now introduced CMMC to ensure that appropriate levels of cybersecurity protections and processes are in place. It specifies a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.

On November 4, 2021, the Department of Defense announced several changes to the Cybersecurity Maturity Model Certification (“CMMC”) program  to streamline the model, reduce assessment costs, and provide for more flexible implementation. The primary goals of this include:

  • Safeguard sensitive information to enable and protect the warfighter

  • Dynamically enhance DIB cybersecurity to meet evolving threats

  • Ensure accountability while minimizing barriers to compliance with DoD requirements

  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience

  • Maintain public trust through high professional and ethical standards

What is CMMC 2.0

& how is it different?


  • CMMC 2.0 streamlined the number of maturity levels from five to three, removed CMMC-unique practices, as well as all maturity processes from the CMMC model. Each of the three new maturity levels is aligned with existing standards:

  1. CMMC 2.0 Level 1 is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

  2. CMMC 2.0 Level 2 is aligned with NIST SP 800-171 [requires compliance with DFARS 52.204-21]

  3. CMMC 2.0 Level 3 is aligned with NIST SP 800-172 [requires compliance with DFARS 52.204-21

    & NIST SP 800-171]


Ready to take on CMMC?

Choose from some of our compliance capabilities below to learn more about how we can help you!



“I am ready for a CMMC assessment and need to get in contact with a Provisional Assessor!”

Reef Systems is an Authorized C3PAO and can work with your organization to participate in a voluntary assessment during the rule-making period.

In addition, you can reserve a spot in our wait list so that we you can be one of the first companies to be CMMC assessed after rule-making.



“We are ready for our leadership to understand CMMC  2.0 so they can lead our organization into the future”

Reef Systems will help your company’s leadership to understand that CMMC compliance is NOT just about technology,  and  that the whole organization must embrace the protection of information. Your organization may have to adapt and change to uphold the revised standards. Leadership support and understanding will enable a critical view of the organization as you are addressing all areas (people, process, tools) that need improvement to support the CMMC requirements.



“We understand that we need to follow CMMC Compliance for future contracts, but we don’t know where to start”

Reef Systems can help companies from the ground up. This will involve focusing on the CMMC compliance requirements and comparing them to what is currently in place, and what needs to be fixed to meet the standards. We will work with you to create a roadmap to achieve compliance.



“We have done a CMMC gap analysis and see what we need to fix, but don’t know how to map out a solution to fix this”

Reef Systems has first-hand experience implementing solutions. Through our remediation services, we will look at your company’s current gap assessment to identify and implement solutions for the controls that have not been properly addressed and would keep you from receiving the certification.



“I have made all technical changes but need my employees to be on the same page about cyber hygiene”

This service is specifically related to preparing your entire organization for CMMC. To ensure the continuous monitoring of the CMMC throughout the entire organization, Reef Systems offers team awareness training to help educate employees on cyber hygiene and on handling FCI and CUI. Substantial training is required from a security perspective to make sure your whole organization understands and is trained on the behavioral changes that need to take place.



“I believe I have remediated all the issues, help me confirm that I am ready and can pass an assessment”

Reef Systems can work with your company to confirm that you have all the scope documentation and the appropriate evidence to meet each assessment objective. Our team will go through each control and will provide meaningful feedback to ensure you have everything you need prior to your formal CMMC assessment.

NIST SP 800-171



Reef Systems offers an Environmental Readiness Check that will help your organization uncover systems and processes that may not meet the standards outlined in NIST SP 800-171, such as:

  • How is data stored and access to information controlled?

  • Are incident response plans in place, current, and effective?

  • Are IT staff and other personnel adequately trained?

  • How are security protocols implemented and maintained?



Reef Systems also offers a NIST SP 800-171 Gap Assessment which will pinpoint risk areas for contractors and facilitate the creation and execution of the Gap Remediation Plan. Without a Gap Assessment in hand, contractors may find it impossible to identify risks, prioritize activities, and determine costs for any remedial steps required pursuing the CMMC certification.



Reef Systems also offers NIST SP 800-171 Gap Remediation as a prioritized, actionable plan to address any security needs uncovered in the Gap Assessment and bring the contractor into NIST SP 800-171 compliance. This includes creating a Plan of Action & Milestones (POA&M) that will need to be uploaded into the Supplier Performance Risk System (SPRS) and will document:

  • Addressing necessary activities to resolve security issues

  • Allocating required resources to mitigate any problems and close security gaps.

  • A timeline with project completion dates and milestones to track progress for anything that is not completed.

  • Insights into security vulnerabilities

Team Reef Systems

Reef Systems has partnered with quality vendors to provide solutions to help our clients achieve compliance.

bottom of page