CMMC Services

CMMC compliance soon to be mandatory to do business with the US DoD

Contact FITS to help your organization prepare to be CMMC compliant.


  • Need to protect all information systems that will contain or process federal data. In particular, FCI (Federal Contract Information) and CUI (Controlled Unclassified Information), not just cloud systems (covered by FedRAMP)
  • Different levels of protection (5 levels) needed for different sensitivities of data


  • Championed by Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))
  • Applicable to entire Defense Industrial Base (DIB) & Department of Defense (DoD) supply chain – includes all prime and sub-contractors
  • Based on NIST 800-171 with additional requirements
  • CMMC adds process maturity requirements, such as documenting processes/procedures and following a security plan
  • For more information, please visit OUSD (A&S) website here and the CMMC Accreditation Body (AB) website here
  • More information about the different Levels:
Credit: OUSD (A&S) Website

More information about the practices:

Credit: OUSD (A&S) Website


  • Organization will need a third-party audit by a C3PAO (CMMC Third Party Auditing Organization) or Certified Assessors accredited by the CMMC-AB
  • Assessment guidelines released on 11/30/2020. (L1 here, L3 here)
  • Certification lasts 3 years
  • FedRAMP reciprocity is not yet determined


  • All organizations must have certification by the end of 2025
  • 15 Prime acquisitions by end of 2021 (L3)
  • Primes will be required to flow down requirements to subs
  • Contracts will start expecting CMMC at renewal in coming years

What can FITS do for you?

FITS has deep experience with government and commercial security and compliance requirements including Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), and National Institute of Standards & Technology (NIST)/Risk Management Framework (RMF). FITS is a 3PAO accredited by A2LA to conduct FedRAMP Audits.

  • CMMC Gap Analysis & Advisory Services
    • FITS is currently conducting multiple CMMC gap analyses and providing recommendations on remediation activities to allow organizations to get a head-start on being compliant.
  • Coming Soon: CMMC Audit
    • FITS is currently in the process of becoming a CMMC Third Party Auditing Organization (C3PAO). We are closely following the CMMC-AB as the certification process for C3PAOs matures so that FITS can start conducting CMMC audits.

Contact us: