Browser Extensions

Common CMMC Misconceptions

Many defense contractors are confused about CMMC. Here are two common misconceptions.

Join our newsletter:
The below two misconceptions are based on my personal interactions with DoD contractors.

“CMMC Will Prevent My Company From Competing on DoD Contracts”

I have heard this one many times from DoD contractors and it genuinely breaks my heart. If everyone had level three or higher CMMC requirements then there would be justification for more concern. Thankfully most contracts will have either level one or two CMMC requirements. This means that companies will only need to maintain either basic or intermediate levels of cyber hygiene which are not particularly difficult or expensive to achieve. So if you are a small company or have a tight budget don’t freak out about CMMC.

“I am Already CMMC Compliant”

As of August, 2020 no company can be “CMMC Compliant”. A company can only be “CMMC Compliant” if they actually have a cybersecurity maturity model certification. As of August 2020 you can not earn this certification. You can definitely undergo an internal or external assessment to help determine where you are but that in itself will not make you compliant although it is something all DoD contractors should be doing now if they haven’t already. Many DoD contractors I have interacted with cited their “IT Service Provider” as the source for the claim that they are CMMC compliant. These reckless claims can put contractors at risk as they begin to bid on contracts with CMMC requirements.

The CMMC community needs to Step Up to The Plate

The above misconceptions show that the CMMC community needs to up its game in educating the defense industrial base. This responsibility doesn’t only fall on the CMMC accreditation board but also on professionals and companies who are offering CMMC related services to the defense industrial base.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.