With CORE’s platform, training and consultants we were able to succeed in a short time and gain a level of understanding and structure we otherwise would never have been able to accomplish.

Anne Mills on BirdEye

The certification process was easy and painless. Suzanne Weber-Smatko did an excellent job of preparing us for the audits and we were certified with no findings.

-Elizabeth Meighan on BirdEye

C&C International was indeed very pleased with the Core training we’ve recently received. Suzanne Weber-Smartko and Norman Verbeck provided very good support and direction. We are very much satisfied with CORE.

Bill James on Google

The Core Solutions team was excellent to work with and made the ISO preparation tolerable. I highly recommend the services of the Core Solutions.

-Paul Amalfitano on BirdEye

Thanks to the CORE team and especially Bruce Newman for a great experience achieving our company’s first ISO certification.

-Flip Crummer on Facebook

What is NIST / CMMC?

The launch of the Cybersecurity Maturity Model Certification (CMMC) program serves as an important and necessary step in the advancement of our country’s ability to protect its people, military, industry, and more. Threats to our country’s information grow by the day, and adversaries are becoming more capable.

For businesses working with the Department of Defense (DoD), the threat grows. For companies to be awarded government projects, they will need to employ several information security solutions, and put policies into place that drive action for their organizations.

The CMMC program was created after a major breach of contractors and subcontractors and subsequently several government agencies.  This program is designed to level up the security of information shared by the Department of Defense and contractors and subcontractors and gives the Department enhanced confidence that CUI is being protected. Read below to learn more about CMMC 2.0, NIST, and DFARS.

Get a Free Quote

The Structure of CMMC

CMMC measures cybersecurity at 3 levels, from Foundational to Expert. Businesses that only handle Federal Contract Information (FCI) will require Level 1. Businesses that handle Controlled Unclassified Information (CUI) will require Level 2. Level 3 exists to protect highly sensitive CUI and will be required by a few contractors.

Level 1 (Foundational)

17 Practices


  • For contractors who handle CUI
  • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
  • Requires annual self-assessment submitted to Supplier Performance Risk System (SPRS) and affirmed by company leadership.
Level 2 (Advanced)

72 Practices


    • For contractors who handle CUI
    • Comply with the FAR
    • 110 practices from NIST SP 800-171
    • Lower-priority acquisitions will require annual self-assessment submitted to SPRS and affirmed by company leadership.
    • Higher-priority acquisitions will require a third-party assessment every three years.
Level 3 (Expert)

130 Practices


  • For contractors who handle highly sensistive CUI
  • Comply with the FAR
  • 110+ practices from NIST SP 800-171/172
  • Requires government assessment every three years.

Level 1


    • Comply with the FAR
    • 17 practices from NIST SP 800-171
    • Annual self-assessment affirmed by company leadership.

Level 2


  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171r1
  • Annual self-assessment or triennial third-party assessement.

Level 3


  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171 and a subset from NIST SP 800-172
  • Requires assessment by government every three years

Source: CMMC Model v2.0 Approved for Public Release

CMMC 2.0

In November of 2021, the Department of Defense announced plans for an improved CMMC 2.0 program.  The goal of 2.0 is to maintain the initial program while reducing compliance challenges as much as possible.

The CMMC 2.0 program has three key features:

Tiered Model:

The CMMC program lays out the process for requiring the protection of controlled unclassified information (CUI) that is shared with the Defense Industrial Base (DIB) and requires those companies trusted with national security information to meet the required cybersecurity standards at the appropriate level based on the type and sensitivity of the information.

Assessment Requirement:

CMMC assessments allow the DoD to verify that the defined cybersecurity requirements have been met.

Implementation through Contracts:

Once CMMC is fully implemented and a contract has a CMMC requirement specified, contractors will be required to meet the appropriate CMMC level as a condition of contract award.



What does DFARS Stand for?

DFARS stands for the Defense Acquisition Federal Regulation Supplement and was published in December 2015 by the U.S. Department of Defense (DoD). DFARS is supplementary to the FAR or Federal Acquisition Regulations.  DFARS is a set of specific regulations for cybersecurity meant for DoD external contractors and suppliers.

Because of the ever-increasing cybersecurity threats, cybersecurity has become a significant priority for the US government.  The primary goal of DFARS is to protect “Controlled Unclassified Information” (CUI) and require private government contractors and other non-government entities to update security systems and processes.


cmmc consultants


What Is NIST 800-171?

NIST stands for the National Institute of Standards and Technology and NIST 800-171 establishes a set of standards and is a collection of regulations with the goal of protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. These sets of standards are applied to safeguarding and distributing information like personal information or intellectual property that is regarded as sensitive but not classified.

Compliance with the most recent revision of NIST 800-171 requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to implement security procedures when handling controlled unclassified Information.

NIST Compliance is demonstrated with the use of a self-assessment against the 110 requirements outlined in NIST 800-171.  Every one of the NIST controls has a weighted value associated with it. It’s either one point, three points, or five points. So you could have at best, a positive score of 110 or at worst, a negative 203 as a score.  Scores must be submitted before contracts or renewals are awarded. Scores are registered in the DoD’s Supplier Performance Risk System (SPRS)


cmmi consultant

What is the Supplier Performance Risk System?

“The Supplier Performance Risk System (SPRS) is a web-enabled enterprise application that gathers, processes, and displays data about supplier performance. It is the DoD’s single, authorized application to retrieve supplier performance information.”


Although it may seem complicated, using available resources and a NIST Consultant can make it possible to get and stay in compliance with DFARS which can be financially rewarding for an organization.  Contact us today for more information. 


Consulting Support for CMMC Compliance

At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide NIST/CMMC training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).

We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget. Core Business Solutions is a NIST/CMMC registered provider organization (RPO).

CMMC RPO Core Business Solutions

Our consulting plans also include the CORE Security Suite to help you implement CMMC practices and maintain certification going forward.

    Interested? Get a Free Quote.

    Related Standards

    We also provide consulting support for companies seeking multiple certifications through an Integrated Management System.


    ISO 9001

    Quality Management Systems

    ISO 27001

    Information Security Management Systems

    ISO 20000-1

    Service Management Systems

    ISO 9001

    ISO 27001


    For more information about compliance, please call our consulting office at 866-354-0300 or contact us online.