Cybersecurity Maturity Model Certification

An Introduction to the CMMC and who it applies to.


Hello. I’m Thomas Coke, Chief Strategy Officer of BitLyft Cybersecurity. This is the first of a series I’ll be posting, and to begin I’m going to spend some time talking about the new CMMC. You may have read a bit about this or you may have leapt feet first into assessing where you stand, but if you do business with the Department of Defense you’ll have to address this in the coming years.

What is the CMMC?

The CMMC, or Cybersecurity Maturity Model Certification, is a certification procedure developed by the Department of Defense to certify that contractors working with the department have the necessary controls to protect sensitive data. Specifically this data is called Controlled Unclassified Information, or CUI. As part of our first blog on this topic we’ll be providing some definitions and information on what is CUI and why it’s important and how it’s used.

What do I need to know about CMMC?

There are seventeen (17) specific domains within the certification, leading to five (5) levels ranging from basic hygiene to state of the art security. Most of those I’ve spoken with anticipate being within Level III. We’ll be posting about what those levels mean and what it will take to be in each level in the near future.

While the CMMC is based upon the NIST standards already in place and DFARS, it does differ in one key way. There is no self-certification. In other words you will be required to obtain certification through a third party assessment organization, or 3PAO. The first of these will come on line in May of 2020. Another thing to bear in mind is that certification and compliance does not mean security, just that you have appropriate measures in place.

Moving forward

On our next blog and video we’ll dive deeper into specific topics relating to the CMMC. We will also be keeping up on any important changes. For now the first posts will be on what the CMMC is (in more depth). Additionally we will talk about what you’ll have to do now, and what you’ll have to do in the future. With each blog post we’ll be shooting some short videos.

Thanks for reading. Remember, this is the first in a series, and I hope you’ll come back for the rest. Connect with me on LinkedIn to see them when they post. In the meantime check us out at or on our LinkedIn page. If you’d like to connect directly my email is Have a great day!


About the Author

Thomas Coke

Thomas Coke

Thomas Coke is the Chief Strategy Officer of BitLyft Cybersecurity. He has a JD from Michigan State University College of Law, a BA in Economics from Kalamazoo College and has years of experience in technology startups with a few successful exits. He can be reached at and on LinkedIn at
Scroll to Top