Cybersecurity Maturity Model Certification (CMMC): DOD Compliant Solutions

Back to Top


Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on supplier networks is an important step in reducing risk to National Security. The Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) to raise the level of information security across the entire Defense Industrial Base (DIB) and better protect our nation's critical information. 


Carahsoft and our partners have assembled products and services to help the defense community address the processes and practices of CMMC.

Explore CMMC Domains

Search By:

  • AM - Asset Management (12)
  • AT - Awareness & Training (6)
  • AC - Access Control (21)
  • AU - Audit & Accountability (20)
  • CA - Security Assessment (12)
  • CM - Configuration Management (17)
  • IA - Identification & Authentication (14)
  • IR - Incident Response (19)
  • MA - Maintenance (10)
  • MP - Media Protection (12)
  • PE - Physical Protection (3)
  • PS - Personnel Security (4)
  • RE - Recovery (10)
  • RM - Risk Management (20)
  • SA - Situational Awareness (13)
  • SC - System and Communications Protection (22)
  • SI - System and Information Integrity (22)

Carahsoft’s Portfolio of CMMC Products & Services

In support of the Defense Industrial Base effort to achieve CMMC compliance, Carahsoft and our partners deliver products and services to address the cybersecurity controls within the framework. We have organized those products and services by both CMMC Capability Domain and by technology vendor. To get started, select a CMMC Domain or Technology Vendor on the left hand side.

The CMMC Framework Explained

CMMC is the cybersecurity framework used by the DOD to measure their suppliers' cybersecurity maturity and ensure protection of Controlled Unclassified Information (CUI) residing on contractor networks. CMMC organizes cybersecurity processes and best practices into a set of 17 capability domains across 5 maturity tiers. The 5 Maturity Levels of the CMMC Framework are summarized below:

  • Level 1: Basic safeguarding of Federal Contracting Information (FCI), 17 practices
  • Level 2: Intermediate cyber hygiene, transition to protecting CUI, 72 practices
  • Level 3: Good cyber hygiene, protecting CUI, 130 practices
  • Level 4: Proactive cyber program, protecting CUI and reducing risk of APTs, 156 practices
  • Level 5: Advanced & progressive cyber program, protecting CUI from APTs, 171 practices

Given the range of information sensitivity by contract, the maturity level required will be determined at the individual contract level. The maturity model is cumulative so that each successive level consists of the practices and processes specified in the preceding level as well as additional controls.

Within the 5 maturity levels of CMMC, the 17 capability domains are derived from the basic safeguarding requirements in FAR Clause 52.204-21, NIST Special Publication 800-171, and other sources. Each domain is comprised of a set of controls that designate a range of cybersecurity and mitigation activities.

The CMMC framework includes a certification requirement that verifies the execution of the processes and practices by maturity level and standardizes implementation across the DIB. CMMC assessments are carried out by assessors that are certified by the CMMC Accreditation Body (CMMC-AB).

DFARS Rule Compliance Deadline Requirement
DFARS 252.204-7012 12/31/2017 Contractors must implement controls within NIST 800-171
DFARS 252.204-7020 11/30/2020 Contractors must submit self-assessment against NIST 800-171 to the DOD SPRS portal
DFARS 252.204-7021 9/30/2025* Contractors must successfully complete CMMC assessment by C3PAO

For more information on CMMC or how to get started on assessing your CMMC needs, please reach out to and a Carahsoft representative will assist you.


Learn from leaders at DoD, NIST, NTIA, and CISA on how agencies are reevaluating their security posture. Featuring additional insights from technology leaders at Trustwave, Qmulos, Zscaler, Solarwinds, and MicroFocus Government Solutions.
Michael Rothschild, Senior Director of Marketing for Tenable, shares advice for protecting data and resources as the cybercrime landscape expands and evolves.
John Davis, Vice President of Public Sector at Palo Alto Networks, explains how the concept of protecting from the inside of their IT infrastructures out (instead of the outside in) helps move agencies toward a Zero Trust approach.

Community Trends Blog

Upcoming Events

Hosted By: Zscaler
Carahsoft December 08, 2021
Carahsoft 1:00 PM ET
Carahsoft   CPE Eligible

Hosted By: Baker Tilly, Pillsbury Winthrop Shaw Pittman, & Carahsoft
Carahsoft December 09, 2021
Carahsoft 2:00 PM ET
Carahsoft   CPE Eligible



Carahsoft March 16, 2021

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that it has been named the 2020 Distributor of the Year by Gigamon, the global leader in visibility and analytics for the hybrid cloud.


Carahsoft March 04, 2021

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that it has been named the 2020 Global Distributor of the Year by FireEye.