Cybersecurity Maturity Model Certification (CMMC)

Cotton & Company has the necessary expertise to assist the U.S. Defense Industrial Base (DIB) sector in enhancing its cybersecurity posture within the multi-tier supply chain to ensure compliance with Cybersecurity Maturity Model Certification (CMMC) requirements.

CMMC Mission Statement

[ Read More ]

The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.


About the Cybersecurity Maturity Model Certification (CMMC)

The CMMC is a new cybersecurity requirement for protecting controlled unclassified information, applicable to all defense contractors. The CMMC will require a level of cybersecurity maturity based on the risk rating of the contract with DoD.

CMMC Services


CMMC Readiness Assessment Services
  • To achieve CMMC certification, DIB partners and contractors must assess the as-is and to-be states of their cybersecurity environment to gauge their current level of information security, identify and track risks more effectively, and prioritize information security and system procurement needs.
  • Cotton & Company performs pre-assessments to assist our clients in identifying corrective actions related to CMMC and implementing the required cybersecurity controls.

Assist clients in implementing new requirements, including developing policies and procedures and acting as a liaison between client management and their selected Certified Third Party Assessor Organization (C3PAO).

Assessment Support Services

Gary Barton, Practice Lead


Certified Third Party Assessor Organization (C3PAO) Candidate

Cotton & Company is now a Certified Third Party Assessor Organization (C3PAO) candidate. We are following the CMMC Accreditation Body processes to become an authorized C3PAO to be able to perform assessments for organizations seeking certification (OSC). We are currently ready and able to assist DIB partners and contractors with their CMMC readiness efforts.

Loren Schwartz, Partner

What can you do now to get ready for CMMC?

[ Read More ]

• Speak with the contracting officer of your DoD contract(s) to determine target CMMC level
• Review the CMMC Model and Assessment Guides
• Perform a self-assessment to identify gaps against the CMMC standard
• Create a roadmap to remediate plans of action and milestones (POA&M)

Recent CMMC Related News


Gary Barton




Loren Schwartz




Paul Lionikis

Director of Outreach

Client Testimonials

“Cotton & Company was able to help us quickly identify key CMMC gaps that will help us make strategic decisions in line with CMMC compliance. They conducted a comprehensive assessment of our current processes and environment, and provided useful insights throughout the engagement. The project was completed on time and within budget, and the Cotton team was extremely professional and easy to work with. I highly recommend Cotton & Company for any CMMC related work!”
Adnan Malik
Partner at Dignari LLC