AG Grace Is A CMMC-AB Registered Provider Organization.

Click here to view CMMC-AB Town Hall  December 2020

Click here to view CMMC-AB Podcast  January 2021

Click here to view CMMC-AB Town Hall February – March 2021

RPO RegisteredTR

AG Grace, Inc’s Registered Practitioners have been in the security risk assessment  and audit industry for many years, in addition to being certified registered practitioners through CMMC-AB, they hold Certified Information System Auditor (CISA),  Certified Information System Security Professional Certifications (CISSP), Certified Risk and Information Systems Control (CRISC)  and Cyber Security Audit Certifications (CSA).  

They are trained in the CMMC Basic Methodology, are bound by the CMMC Professional Code of Conduct and can provide targeted CMMC awareness.  

They are ready to help you prepare for the CMMC- ML-1 through ML-5.  

If you are a FEDERAL CONTRACTOR then you know that….

Federal agencies routinely generate, use, store, and share information that, while not classified, still requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, contractual protections, or other reasons.

The Controlled Unclassified Information (CUI) Program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies. The National Institutes of Standards and Technology (NIST) released SP 800-171r2 and provides federal agencies with a set of recommended security requirements for protecting CUI when such information is resident in nonfederal systems and organizations.

Federal Contract Information (FCI) means any information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the Government but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. 

What is CMMC?  A unified cybersecurity standard for future DoD Acquisitions that consists of 17 Domains that have been taken from the Federal Information Processing Standards (FIPS) Publication 200 and the security control families from NIST SP 800-171 rev2, it also includes the 3 additional domains and includes 5 processes across five levels to measure process maturity levels.

The CMMC model framework organizes processes and cyber security best practices into a set of domains

The CMMC levels and the associated sets of processes and practices across domains are cumulative.  In order for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding lower levels.   As a result the CMMC levels can also be characterized by their focus.

Level 1 –  Safeguard Federal Contract Information (FCI)

Level 2 –  Serve as a Transition step in cybersecurity maturity progression to protect CUI

Level 3 –  Protect Controlled Unclassified Information (CUI)

Level 4-5 – Protect CUI and reduce risk of Advanced Persistent Threats (APTs

Cybersecurity Models help organizations

  • Provide services for their customers without interruption;
  • Protect sensitive customer and proprietary information; and
  • Comply with laws and regulations that govern their operations.
  • Provides a structure for organizations to baseline current capabilities in cybersecurity workforce planning, establishing a foundation for consistent evaluation
  • Management tool for leadership in identifying opportunities for growth and evolution



Why do you need a cybersecurity maturity model?

So that you can evaluate your Organizations current level of cyber hygiene via your processes, practices, methods and goals to achieve a secure environment in order to business with the DoD and to eliminate risk factors that can affect Cost, Schedule and Performance.

What type of Data do you process?    FCI, CUI or Both?

Which CMMC Maturity Level is Right for your Organization?

CMMC Level




Data Type

CMMC Level 1

Level 1 requires that an organization performs the specified practice. Because the organization may be able to perform these practices only  in  an ad-hoc manner and may or may not rely  on documentation, process maturity is not assessed for Level 1.


Basic Cyber Hygiene

Federal Contact Information (FCI) Level 1 focuses on the protection of FCI and consists only of practices that correspond to the  basic safeguarding  requirement specified in 48 CFR 52.204-21.

CMMC Level 2

Level 2 requires that an organization establish  and document practices and policies to guide the implementation of their CMMC efforts. The  documentation of practices enables individuals to perform then in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented. 


Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the subset of the security requirements  specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

Level 3 requires that an organization establish , maintain and resource a plan demonstrating the management of activities for practice implantation. The plan may include information on mission, on missions, goals, project plans, resourcing required training, and involvement of relevant stakeholders.


Good Cyber Hygiene

 Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252 204-7012 applies and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level  are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis. 



Level 4 focuses on the protection of CUI from APT’s and encompasses a subset of the enhanced security requirements from Draft NIST St 800-1718 as well as other cybersecurity best practices. This practices enhance the detection and response capabilities of the organization to address and adapt to the changing tactics, techniques, and procedures(TTP’s) used by APT’s. 

CMMC Level 5

Level 3 requires an organization to standardize and optimize process implementation across the organization.


Advanced / Proactive

 Level 5 focuses on the protection of CUI from APT’s. The additional practices increase the depth and sophistication if cybersecurity capabilities.

How Can My Organization Get Ready For CMMC?

To get started on the path to compliance, companies need to determine if they are handling FCI or CUI. Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POAM for how to get to where you are supposed to be.


Contact Us

Fill out my online form