Get started on your CMMC compliance journey so you can continue doing business with the Department of Defense.


The Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards that organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD). It is designed to protect controlled unclassified information (CUI) shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation Through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle controlled unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC 2.0

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter.
  • Dynamically enhance DIB cybersecurity to meet evolving threats.
  • Ensure accountability while minimizing barriers to compliance with DoD requirements.
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
  • Maintain public trust through high professional and ethical standards.

The CMMC program will require compliance for all contractors currently doing business or who want to do business with the Department of Defense. More than 80,000 contractors will also require a third-party CMMC assessment and certification as part of their maturity level and handling of SUI.


  • I.T. Service Providers
  • Accountants
  • Consultants
  • Manufacturers
  • Manufacturing Supply Chains
  • Landscaping Services
  • Janitorial Services
  • And More…

Identify your desired Maturity Level to bid on DoD contracts (below) and then schedule your pre-assessment gap analysis with us. If you are unsure of your required Maturity Level, we will help you identify it. Together, we will evaluate your current network against NIST SP 800-171 and CMMC requirements and identify evidence for auditors. Our certified consultants will also help you develop your System Security Plan (SSP) and Plan-of-Action & Milestones (POAM). When the SSP and POAM requirements have been met, you will be compliant and ready to receive your assessment/certification!


The Department of Defense (DoD) will publish a comprehensive cost analysis associated with each level of CMMC as part of their rulemaking process. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to:

  • Streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes.
  • Allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments.
  • Increase oversight of the third-party assessment ecosystem.

For updates on the rulemaking process and cost analysis, please reference


March 10, 2022 | CMMC

CMMC 2.0 Updates

WHAT IS CMMC 2.0? The Cybersecurity Maturity Model Certification (CMMC) was introduced by the U.S. Department of Defense (DoD) on January 31, 2020 to ensure the protection of sensitive unclassified information or controlled unclassified information
March 3, 2021 | CMMC

What is a CMMC RPO?

Throughout 2020, the U.S. Department of Defense released details surrounding the Cybersecurity Maturity Model Certification (CMMC) requirements for companies in the defense industrial base (DIB). These new consolidated cybersecurity requirements are driving suppliers and contractors to dedicate time,
February 18, 2021 | CMMC

The Greentree Group is a CMMC-AB Registered Provider Organization (RPO)

We are now a Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) authorized by the CMMC-AB. This new achievement solidifies our position as a leader in CMMC compliance solutions and services meant to protect


Our cybersecurity experts can perform a comprehensive gap analysis and determine your current SPRS score, as well as work with you on a plan to resolve any areas of non-compliance. As a full-service I.T. firm and the leading CMMC-AB Registered Provider Organization (RPO) in the area, we can also implement solutions to address gaps so you are both compliant and ready for CMMC certification.


We conduct a thorough gap analysis and compare your current network with NIST SP 800-171 and CMMC requirements. This reveals areas to address for compliance.


We prepare a System Security Plan (SSP) and Plan-of-Action & Milestones (POAM) for you based on the gap analysis. This serves as documented evidence to show you're working toward compliance.


We help you implement POAM action items. The solutions can vary -- from something as simple as implementing multi-factor authentication to updating your I.T. infrastructure.


Back To Top