Cybersecurity Maturity Model Certification (CMMC)
Building sustainable CMMC compliance for Department of Defense (DOD) contractors
Cybersecurity Maturity Model Certification (CMMC)
Baker Tilly is a candidate CMMC Third-Party Assessor Organization (C3PAO), at-the-ready to meet you wherever you are on your CMMC compliance journey. With more than 800 government contracting clients, we understand the complexities of achieving Cybersecurity Maturity Model Certification (CMMC). As recognized cybersecurity specialists in the field, Baker Tilly’s CMMC team is dedicated to guiding you through every step of the process with unparalleled efficiency, speed and ease.
CMMC webinar series
CMMC readiness: Practical insights and lessons learned
Learn insights and lessons from industry leaders on CMMC readiness and best practices for executing your CMMC assessment.
CMMC: How to confirm readiness
In this webinar, Baker Tilly CMMC professionals review the planning required for success of a Cybersecurity Maturity Model Certification (CMMC) readiness assessment.
CMMC scoping: How to ensure your scope is ready for assessment
In this webinar, Baker Tilly CMMC professionals review the scope guidance, and important considerations learned from the CMMC scope guidance and proposed DOD rule about CMMC CUI.
CMMC rulemaking: Where are we now?
Baker Tilly CMMC professionals review the proposed CMMC rule and important considerations learned from that proposed rule.
CMMC: What to expect during an official assessment
Specialists walk through the key phases of the CMMC assessment – from planning and fieldwork to reporting, and any needed remediation.
Ensure CMMC success: seven common scoping mistakes to avoid
The third webinar in our Cybersecurity Maturity Model Certification (CMMC) readiness series focuses on the details of how to scope your organization and avoid common pitfalls.
Cybersecurity Maturity Model Certification (CMMC) readiness series – Part II
Baker Tilly Cybersecurity Maturity Model Certification (CMMC) specialist Matt Gilbert and Jeff Dalton, Chair of the CMMC Accreditation Body’s (AB) Credentialing Committee Joined together to discuss CMMC requirements, important factors of the assessment process and what contractors (and their supply chain / subcontractors) should do next to prepare for certification.
Understanding CMMC and the implications for DoD contractors
Watch this on-demand webinar to review the basics of the CMMC requirements and what to expect, along with the next steps needed to prepare your organization.
Five things you need to know about CMMC
CMMC is a U.S. Department of Defense (DOD) program to improve the cybersecurity of its contractors. It has different levels of security standards that companies must meet, depending on the sensitivity of the information they handle. Contractors need to pass assessments to qualify for certain DOD contracts.
While final rulemaking is still in progress, CMMC compliance is expected to be required for all contractors and subcontractors working with the DOD who handle controlled unclassified information (CUI). This includes:
- Defense Industrial Base (DIB) contractors: Companies that provide products or services to the DOD.
- Subcontractors: Any subcontractors working under a primary contractor on DOD contracts that handle CUI.
These entities are expected to be required to achieve a specific CMMC level to be eligible for DOD contracts, demonstrating they meet the necessary cybersecurity standards.
CMMC requirements are expected to appear in contracts starting in the fiscal year 2026. However, CMMC may be included in defense contract solicitations as early as summer 2025. The DOD is implementing these requirements in phases, allowing companies time to comply based on the sensitivity of the contracts they handle.
If companies don't comply with the CMMC, they may face several consequences:
- Loss of contracts: Non-compliant companies may lose eligibility to be awarded DOD contracts.
- Legal and regulatory penalties: They could face fines, penalties or other legal actions associated with the Department of Justice (DOJ) False Claims Act (FCA) enforcement.
- Reputation damage: Non-compliance can harm a company's reputation, affecting its ability to win new contracts or maintain business relationships.
- Increased risk of data breaches: Without proper cybersecurity measures, companies are more vulnerable to data breaches, leading to financial losses, loss of sensitive information and potential legal issues.
- Suspension or debarment: The government may suspend or debar non-compliant companies from federal contracts.
Discuss your specific needs with a trusted CMMC professional.
Go there, with Baker Tilly
Baker Tilly is your trusted advisor in building sustainable CMMC compliance and your go-to for navigating the certification landscape. Our proven track record speaks for itself, ensuring you receive top-tier guidance and support.
Experience matters
In addition to our extensive government contractor experience, with Baker Tilly you will have access to more than 100 industry-fluent cybersecurity specialists with a deep understanding of how to successfully create and manage cybersecurity compliance-based programs. Baker Tilly principal and CMMC services leader Matt Gilbert was one of the first-certified provisional assessors and participants in the CMMC-AB working groups. Count on our team to navigate your organization through the requirements to ensure certification and compliance.
Time is of the essence
Baker Tilly will prioritize getting you up and running quickly. Our streamlined onboarding process is designed to minimize downtime and accelerate your path to compliance, making the journey as smooth as possible.
A sustainable approach, tailored just for you
We put your needs first, offering personalized solutions tailored to your unique challenges, whenever you might be on your CMMC journey. Our goal is to make CMMC compliance not just achievable, but straightforward and stress-free.
We are committed to helping government contractors meet all of their compliance requirements from CMMC, to the increasing supply chain risk management obligations under section 889 as well as the whole host of complex regulatory compliance, audit and other government oversight burdens.Matt Gilbert, CMMC Leader
CMMC compliance solutions
Baker Tilly will meet you wherever you are on your CMMC compliance journey, offering support from readiness assessments to the official evaluation and ongoing maintenance of your certification.
Preparing for a successful CMMC assessment requires thoughtful planning, time and resources. Baker Tilly can help you determine the best way to prepare for CMMC. This may include identifying gaps between your controls and the CMMC model and providing recommendations for remediating those gaps. These services can be offered as a mock assessment or in a more advisory capacity to suit your needs. We can assist your team in remediating gaps by designing processes and/or creating policies and procedures.
Baker Tilly is committed to supporting organizations with their official certification assessments. As a candidate C3PAO, Baker Tilly when permitted, will complete assessments for certification at CMMC Level 2.
Organizations must undergo official assessments every three years to maintain their certification. Off-years require management self-assessment. Baker Tilly recommends organizations consider performing the assessment annually with a C3PAO or similarly qualified persons. Baker Tilly can help conduct assessments on the off years that management can use as the basis for their affirmations provided to the DOD.
Disclosure
All CMMC services are performed by Baker Tilly Data Systems, a wholly owned subsidiary of Baker Tilly US, LLP. Baker Tilly Data Systems is a candidate CMMC Third-Party Assessor Organization.
Our professionals
