The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the United States Department of Defense (DoD) must obtain at least a Maturity Level 1 certification under this program.
WHO IS IMPACTED BY CMMC
Organizations that are part of the Defense Industrial Base (DIB) and who handle Federal Contract Information and/or Controlled Unclassified Information (CUI). By FY 2026, any organization that wishes to bid on a DoD contract that contains FCI and/or CUI is expected to be assessed for their cybersecurity maturity under CMMC. This means that over 350,000 organizations plus subcontractors will fall under the CMMC ecosystem.
THE CMMC ECOSYSTEM
CMMC is a complex ecosystem with many different types of organizations participating. Below is a list of the major types of organizations you will see participating
ORGANIZATIONS SEEKING CERTIFICATION
Any organization that plans on being a DoD supplier in FY 2026 and beyond is an OSC. These organizations will be preparing for their assessments and will want both authorized and informal training to help them get ready. At this time, it is estimated that there are over 350,000 OSCs across the globe
LICENSED TRAINING PROVIDERS
The CMMC-AB LTP program is designed for providers of education and training services such as colleges, universities, online schools, professional schools, internal corporate training departments, or any direct to consumer learning providers.
Only LTPs will be able to deliver Authorized CMMC training that will allow students to test for their CMMC Certifications.
LICENSED PARTNER PUBLISHERS
Logical Operations is one of only several LPPs that can offer you authorized content to conduct CMMC training. LTPs are required to use content from an LPP to conduct their training. Non-LTPs can use our unofficial CMMC content to run CMMC trainings that do not map to any certification but are still valued by OSCs
CERTIFIED 3RD PARTY ASSESSMENT ORGANIZATIONS
C3PAOs will be conducting the CMMC assessments and assigning maturity levels to the OSCs so that they may continue to provide goods and services to the DoD.
C3PAOs will also require training from LTPs to certify before they can begin assessing OSCs.
CMMC contains 17 different domains encompassing 171 different security practices. The majority of the practices (110) come from safeguarding and security requirements across all 5 Maturity Levels.