Cybersecurity Maturity Model Certification (CMMC): DOD Compliant Solutions

Back to Top


Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on supplier networks is an important step in reducing risk to National Security. The Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) to raise the level of information security across the entire Defense Industrial Base (DIB) and better protect our nation's critical information. 


Carahsoft and our partners have assembled products and services to help the defense community address the processes and practices of CMMC.

Explore CMMC Domains

Search By:

  • AT - Awareness & Training (6)
  • AC - Access Control (25)
  • AU - Audit & Accountability (25)
  • CA - Security Assessment (15)
  • CM - Configuration Management (20)
  • IA - Identification & Authentication (17)
  • IR - Incident Response (21)
  • MA - Maintenance (10)
  • MP - Media Protection (13)
  • PE - Physical Protection (3)
  • PS - Personnel Security (4)
  • RM - Risk Management (23)
  • SC - System and Communications Protection (24)
  • SI - System and Information Integrity (24)

Carahsoft’s Portfolio of CMMC Products & Services

Carahsoft's Portfolio of CMMC Products & Services

Carahsoft and our partners have assembled products and services to help the defense community address the processes and practices of CMMC. We have organized those products and services by both CMMC Capability Domain and by technology vendor. To get started, select a CMMC Domain or Technology Vendor on the left hand side.

The CMMC Framework Explained

CMMC is the cybersecurity framework used by the DOD to measure their suppliers' cybersecurity maturity and ensure protection of Controlled Unclassified Information (CUI) residing on contractor networks. CMMC organizes cybersecurity processes and best practices into a set of 14 capability domains across 3 maturity tiers. The 3 Maturity Levels of the CMMC Framework are summarized below:

  • Level 1: Foundational Security. Basic safeguarding of Federal Contracting Information (FCI) in FAR Clause 52.204-21, 17 practices
  • Level 2: Advanced Security. Aligns with the 110 controls and security requirements of NIST 800-171.
  • Level 3: Expert Security. Full information will be released at a later date but expected to align with the enhanced security requirements of NIST 800-172.

Given the range of information sensitivity by contract, the maturity level required will be determined at the individual contract level. The maturity model is cumulative so that each successive level consists of the practices and processes specified in the preceding level as well as additional controls.

Within the 3 maturity levels of CMMC, the 14 capability domains are derived from the basic safeguarding requirements in FAR Clause 52.204-21, NIST Special Publication 800-171, and NIST Special Publication 800-172. Each domain is comprised of a set of controls that designate a range of cybersecurity and mitigation activities.

The CMMC framework includes an assessment requirement that verifies the execution of the practices by maturity level and standardizes implementation across the DIB. CMMC assessments are carried out through one of three methods depending on maturity level: self-assessment, third party assessment by CMMC Accreditation Body (CMMC-AB) certified assessor, or government assessment.

For more information on CMMC or how to get started on assessing your CMMC needs, please reach out to and a Carahsoft representative will assist you.


Learn from leaders at DoD, NIST, NTIA, and CISA on how agencies are reevaluating their security posture. Featuring additional insights from technology leaders at Trustwave, Qmulos, Zscaler, Solarwinds, and MicroFocus Government Solutions.
Michael Rothschild, Senior Director of Marketing for Tenable, shares advice for protecting data and resources as the cybercrime landscape expands and evolves.
John Davis, Vice President of Public Sector at Palo Alto Networks, explains how the concept of protecting from the inside of their IT infrastructures out (instead of the outside in) helps move agencies toward a Zero Trust approach.

Community Trends Blog

Upcoming Events

Hosted By: Google, Ignyte & Carahsoft
Carahsoft March 22, 2023
Carahsoft 2:00 PM ET

Hosted By: Virtru, AFRL & Carahsoft
Carahsoft March 21, 2023
Carahsoft 12:00 PM ET


cmmc_thumbnail.PNG RESOURCE
Organizations of all sizes in the Defense Industrial Base (DIB) are preparing to comply with the Cybersecurity Maturity Model Certification (CMMC) 2.0. Mobile device security is a critical topic of discussion among those in the DIB who are assessing and strategizing how to address existing endpoint security. In particular, there are specific requirements around incorporating mobile device usage restrictions, scanning a device for software updates and patches, and conducting operating system (OS) integrity checks within their current cybersecurity mix.

Download this technology brief to better understand CMMC 2.0 so you can implement standards more quickly and efficiently.


Carahsoft March 16, 2021

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that it has been named the 2020 Distributor of the Year by Gigamon, the global leader in visibility and analytics for the hybrid cloud.


Carahsoft March 04, 2021

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced that it has been named the 2020 Global Distributor of the Year by FireEye.