What is CMMC 2.0 and who is in scope?

CMMC (Cybersecurity Maturity Model Certification) 2.0 is the US Department of Defense framework for assessing the cybersecurity posture of the Defense Industrial Base. It applies to any contractor or subcontractor that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contracts subject to the DFARS cybersecurity clauses. The final rule was published in 32 CFR Part 170 with effect in December 2024, and the contracting clause 48 CFR / DFARS 252.204-7021 is being phased into solicitations through 2027. In scope organisations include prime contractors, subcontractors of any tier, component manufacturers, and electronics integrators selling into DoD supply chains.

What are the three CMMC levels?

Level 1 (Foundational) covers 15 basic safeguarding practices derived from FAR 52.204-21 and applies to contractors handling FCI only; it relies on an annual self-assessment with senior official affirmation. Level 2 (Advanced) covers the 110 practices of NIST SP 800-171 Rev 2 and applies to contractors handling CUI; assessment is by a C3PAO (CMMC Third Party Assessor Organization) for prioritised contracts and a self-assessment with affirmation otherwise. Level 3 (Expert) adds a subset of NIST SP 800-172 practices on top of Level 2 and applies to contractors handling CUI on the most sensitive programmes; assessment is conducted by the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Each level is contract-driven, not self-elected.

How does CMMC relate to the NIST SP 800-171 self-assessment already filed in SPRS?

Since 2020, DoD contractors handling CUI have been required to perform a self-assessment against NIST SP 800-171 Rev 2 and submit the resulting SPRS (Supplier Performance Risk System) score to the government. CMMC Level 2 builds directly on that framework: the 110 practices are identical to NIST SP 800-171 Rev 2. The change brought by CMMC is the move from self-attestation alone to third-party assessment by a C3PAO for prioritised contracts, with formal certification valid for three years. The SPRS submission remains the entry point, and an existing high SPRS score with documented evidence shortens the path to a CMMC Level 2 assessment.

What is UK Cyber Essentials and who needs it?

Cyber Essentials is the UK government-backed scheme operated by the IASME Consortium under National Cyber Security Centre (NCSC) governance, the sole accreditation body since 2020. It rests on five technical controls, firewalls, secure configuration, user access control, malware protection, and security update management, and is granted on the basis of an annual self-assessment validated by an IASME-certified assessor. Since 2014, Cyber Essentials has been required for many UK central government contracts and is widely demanded in defence supply chains, public procurement, and as a contractual prerequisite by private buyers. Cyber Essentials Plus is the higher tier with an audited verification of the same controls.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials (basic) is granted on a verified self-assessment: the applicant completes a questionnaire mapped to the five controls, an IASME-certified assessor reviews the responses, and the certificate is issued. Cyber Essentials Plus is granted on a hands-on technical audit by the same assessor: external vulnerability scan of internet-facing assets, internal vulnerability scan of representative end-user devices, malware test (file detonation against the malware protection control), and verification of browser and email client configuration. Plus is required for contracts where the contracting authority demands audited assurance. Both expire annually and require renewal.

Does ISO 27001 satisfy CMMC or Cyber Essentials requirements?

No, neither for CMMC nor for Cyber Essentials, but it strongly supports evidence collection in both cases. ISO/IEC 27001 is a management-system standard with a broader organisational scope than either programme, covering risk-based information security across the whole organisation. CMMC Level 2 maps to NIST SP 800-171 Rev 2 with specific US federal definitions of CUI handling that ISO 27001 does not address by default. Cyber Essentials is a control-based scheme on five prescriptive technical controls, distinct from the risk-based management approach of ISO 27001. A mature ISO 27001 ISMS reduces the marginal effort for both, but neither delivers reciprocity.

How do POA&M and conditional certifications work under CMMC 2.0?

CMMC 2.0 allows a Plan of Action and Milestones (POA&M) on a limited set of practices, provided the score threshold is met and the items are remediated within 180 days. A conditional certification is then issued, becoming final on closure of POA&M items. Critical practices (those weighted heaviest in the SPRS scoring model) are not eligible for POA&M and must be implemented at the time of assessment. POA&M items left unremediated past the 180-day window invalidate the conditional certification and require re-assessment. This is the most operationally sensitive aspect of post-assessment lifecycle.

CMMC and UK Cyber Essentials: defense cyber baselines

Q: Is CMMC about the product or the company's IT environment?

CMMC is about the contractor's corporate IT and OT environment, not about the product delivered. The 110 practices of NIST SP 800-171 cover access control, audit logging, incident response, configuration management, and similar enterprise-IT controls applied to systems that process CUI. Product-side cybersecurity for radio-enabled and connected products is governed in the EU by Radio Equipment Directive (RED) Article 3(3)(d-f) delegated acts and broadly by IEC 62443 for industrial automation. Conflating CMMC compliance with product cybersecurity is one of the most frequent scoping errors, especially in the electronics manufacturing sector.

Author Hugues Orgitello Last updated 27 May 2026 ~15 min read

Guide - Defense and government cyber baselines

Two government-backed cyber baselines now condition access to defense and public-sector supply chains on either side of the Atlantic: CMMC 2.0 (Cybersecurity Maturity Model Certification) on the US side, governing the Defense Industrial Base under the DoD (Department of Defense), and Cyber Essentials plus its audited tier Cyber Essentials Plus on the UK side, governing access to UK government contracts under NCSC governance via the IASME Consortium. Both are corporate cybersecurity assurance schemes, not product cybersecurity regimes. They target the contractor's information system, its handling of sensitive information, and its operational practices. For electronics manufacturers and integrators with exposure to defense or government supply chains, missing either of these baselines closes access to entire categories of contracts, regardless of product compliance. This guide maps the two schemes, their levels, the assessment routes, and the recurring scoping pitfalls.

CMMC 2.0: the US Defense Industrial Base baseline

The DIB (Defense Industrial Base) is the network of US and allied contractors and subcontractors supporting the DoD across hardware, software, services, and research. It includes prime contractors, suppliers of components and subsystems, integrators, and a long tail of small specialised suppliers. CMMC 2.0 is the framework that conditions cybersecurity assurance for any DIB participant handling federal information.

Regulatory anchor: 32 CFR Part 170 and DFARS 252.204-7021

CMMC 2.0 was published in 32 CFR Part 170 with effective date in December 2024. The contracting clause that makes a CMMC level a condition of award is 48 CFR / DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. The clause is being phased into DoD solicitations through 2027, with priority on contracts involving CUI on key acquisition programmes.

Two distinct categories of federal information drive scope:

FCI (Federal Contract Information): information provided by or generated for the government under a contract, not intended for public release; broad applicability across the contractor base.
CUI (Controlled Unclassified Information): information that requires safeguarding under federal law, regulation, or government-wide policy, but is not classified. Examples include design data on military systems, controlled technical data, export-controlled information under ITAR / EAR.

The level required by a given contract depends on which of FCI or CUI the contractor processes.

Level 1, Foundational

CMMC Level 1 applies to contractors handling FCI only, with no CUI in scope. It covers 15 basic safeguarding practices derived from FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. These practices include:

access control basics (identifying and authenticating users, limiting access to authorised users),
media protection basics (sanitising media before disposal),
physical protection of facilities and equipment,
system and communications protection (boundary protection),
system and information integrity (malware protection, security alerts handling).

Assessment is by annual self-assessment with affirmation by a senior official, no third party involved. The result is recorded in SPRS (Supplier Performance Risk System), the DoD's central scoring repository for contractor risk.

Level 2, Advanced

CMMC Level 2 applies to contractors handling CUI. It covers the 110 practices of NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, published in February 2020. These practices are organised across 14 families:

access control,
awareness and training,
audit and accountability,
configuration management,
identification and authentication,
incident response,
maintenance,
media protection,
personnel security,
physical protection,
risk assessment,
security assessment,
system and communications protection,
system and information integrity.

Each practice carries a weight (1, 3, or 5 points) in the NIST SP 800-171 scoring model, with a maximum SPRS score of 110 when all practices are fully implemented.

Assessment is differentiated:

For prioritised acquisitions (typically contracts involving CUI on critical programmes), assessment is by a C3PAO (CMMC Third Party Assessor Organization) accredited by the Cyber AB (CMMC Accreditation Body). A successful assessment yields a CMMC Level 2 certificate valid for three years.
For non-prioritised acquisitions, assessment is by self-assessment with senior official affirmation, recorded in SPRS, valid for one year.

The split is set in the contract; the contractor does not choose the route.

Level 3, Expert

CMMC Level 3 applies to contractors handling CUI on the most sensitive DoD programmes. It adds a subset of NIST SP 800-172 practices on top of the Level 2 baseline. NIST SP 800-172, Enhanced Security Requirements for Protecting CUI (published February 2021), provides 35 enhanced practices; CMMC Level 3 selects approximately 24 of them.

Assessment is by the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center), the DoD's own assessment arm. There is no third-party route at Level 3, and certification is valid for three years.

POA&M and conditional certifications

A POA&M (Plan of Action and Milestones) is permitted under CMMC 2.0 on a limited set of practices, provided:

the assessment score meets the threshold (typically 80% of the maximum, with constraints on which practices are eligible),
critical practices (those carrying weight 5 in the SPRS scoring model) are not on POA&M,
POA&M items are closed within 180 days of the assessment.

The contractor receives a conditional certification that becomes final on closure of all POA&M items. A POA&M item left unremediated past the 180-day window invalidates the conditional certification and triggers re-assessment. POA&M lifecycle management is the most operationally sensitive aspect of CMMC compliance, especially for organisations with thin internal cybersecurity teams.

SPRS and the existing NIST 800-171 self-assessment

The SPRS (Supplier Performance Risk System) is the DoD's central repository for contractor risk information, including the NIST SP 800-171 self-assessment score required since 2020 under DFARS 252.204-7012 and 252.204-7019 / 7020. A DIB contractor handling CUI has typically already filed a self-assessment score in SPRS.

CMMC Level 2 builds directly on that foundation: the 110 practices are identical, the scoring model is the same, only the assessment route changes (self-assessment alone in 2020 to 2024, formal certification by C3PAO or DIBCAC under CMMC). An organisation with a high existing SPRS score and documented evidence has materially shorter lead times to Level 2 certification.

CMMC cost: what to expect

Cost varies by company size, scope of CUI handling, existing security posture, and assessment route (self-assessment versus C3PAO versus DIBCAC). The DoD published cost estimates in the final rule at 32 CFR Part 170, broken down by level, assessment type, and assessment cycle (initial, affirmation, surveillance). Pilot data points exist from C3PAO assessments conducted in 2024 and 2025, but vary widely. Refer to the published DoD cost estimates rather than to vendor-published figures, which often reflect a narrow scoping case.

UK Cyber Essentials: the UK baseline

The UK equivalent regime is structurally simpler: a single scheme with two tiers (basic and Plus), built on five prescriptive technical controls, administered through a single accreditation body since 2020.

Regulatory and institutional anchor: NCSC and IASME

The scheme is owned by the NCSC (National Cyber Security Centre), the UK government's technical authority on cybersecurity (part of GCHQ). Operational delivery and accreditation of assessors is run by the IASME Consortium, designated by the NCSC as sole accreditation body for Cyber Essentials in 2020 (it had previously been one of several). IASME accredits a network of certification bodies, which in turn employ or contract IASME-certified assessors authorised to deliver Cyber Essentials and Cyber Essentials Plus assessments.

Mandatory scope for UK government contracts

Cyber Essentials has been required for many UK central government contracts since 2014, particularly those involving:

handling of personal information,
handling of sensitive information,
provision of ICT services or products.

The MOD (Ministry of Defence) requires Cyber Essentials in many of its supply chain contracts, with Cyber Essentials Plus mandatory in the more sensitive tiers. Beyond government, Cyber Essentials is widely demanded by private buyers in regulated sectors (financial services, healthcare, critical infrastructure) and as a contractual prerequisite by large primes flowing down requirements to their suppliers.

Five technical controls

The scheme rests on five technical controls, defined prescriptively, not risk-based:

Firewalls: every device must be protected by a correctly configured firewall (or equivalent network device); default administrative passwords changed; inbound services restricted to those required and authorised.
Secure configuration: devices and software configured to reduce vulnerabilities; default accounts removed or renamed; unnecessary services disabled; auto-run disabled on removable media.
User access control: user accounts assigned to authorised individuals only; administrative privileges granted only when required; multi-factor authentication on cloud services; password requirements aligned to NCSC guidance.
Malware protection: anti-malware software, application allow-listing, or sandboxing; signatures updated; real-time scanning where applicable.
Security update management: licensed and supported software; all security updates applied within the timescales defined by the scheme (typically 14 days from release for high or critical vulnerabilities).

The control set is updated periodically by NCSC and IASME (the current iteration in force is referred to by IASME under a named version, with periodic refresh); manufacturers should reference the active scheme version on the NCSC and IASME websites at the time of assessment.

Cyber Essentials, basic tier

The basic tier is granted on a verified self-assessment:

The applicant completes the IASME questionnaire, mapping each of the five controls to the in-scope IT estate (corporate IT, BYOD where used for work, cloud services, end-user devices).
The questionnaire is reviewed by an IASME-certified assessor.
On favourable review, the certificate is issued and the organisation is listed in the IASME directory.
The certificate is valid for 12 months and requires annual renewal.

The basic tier is structurally close to a declaration-based regime with documentary assessor verification. It does not include a hands-on technical audit.

Cyber Essentials Plus, audited tier

The Plus tier covers the same five controls but adds a hands-on technical audit by the IASME-certified assessor, typically including:

external vulnerability scan of internet-facing assets, looking for known vulnerabilities and unpatched services,
internal vulnerability scan of a representative sample of end-user devices,
malware test (detonation of test files against the malware protection control, to verify it actually blocks them),
browser and email client configuration test, verifying that defaults align with the scheme (no execution of unsigned scripts on email attachments, no auto-run of removable media, etc.).

Failure on any of the audit items, including a single unpatched browser on a sampled device, leads to non-issuance of the certificate until remediation. Plus is valid for 12 months and requires annual renewal.

IASME Cyber Assurance: the UK alternative to ISO 27001

For SMEs needing a management-system level assurance without the cost and complexity of ISO 27001, IASME also operates IASME Cyber Assurance (formerly IASME Governance), a UK-developed standard aligned on but more accessible than ISO 27001. It is typically paired with Cyber Essentials and serves a comparable role to ISO 27001 in the same way that Cyber Essentials serves a role comparable to a control-based subset of ISO/IEC 27001.

CMMC and Cyber Essentials side by side

The two schemes share a common philosophy (corporate cybersecurity assurance gating access to government supply chains) but differ on structure:

Criterion	CMMC 2.0	Cyber Essentials / Plus
Jurisdiction	United States, DoD	United Kingdom, NCSC
Governance	DoD CIO, Cyber AB, C3PAOs, DIBCAC	NCSC, IASME Consortium (sole accreditation body since 2020)
Levels	L1 (Foundational), L2 (Advanced), L3 (Expert)	Cyber Essentials (basic), Cyber Essentials Plus (audited)
Reference framework	NIST SP 800-171 Rev 2 (L2), NIST SP 800-172 (L3 subset)	NCSC Cyber Essentials scheme, five controls
Assessment route	Self-assessment, C3PAO, or DIBCAC depending on level	Verified self-assessment (basic), audited (Plus)
Certificate validity	3 years (L2 C3PAO, L3 DIBCAC), 1 year (self-assessment)	12 months, annual renewal
Information type in scope	FCI (L1), CUI (L2, L3)	UK government contract information broadly
Contracting clause	DFARS 252.204-7021	UK government supplier requirements since 2014
Maturity model	Practices-based, prescriptive	Controls-based, prescriptive
Mutual recognition	None with non-US schemes	None with non-UK schemes
Adjacent management system	ISO 27001 supports evidence	ISO 27001 or IASME Cyber Assurance

Neither scheme delivers reciprocity with the other. A US contractor with a CMMC Level 2 certificate cannot use that certificate to satisfy a UK Cyber Essentials requirement, and vice versa. An organisation operating on both sides of the Atlantic must obtain both schemes if it bids on contracts on both sides.

Cross-program considerations

A few framing points recur in practice and are worth surfacing explicitly, especially for electronics manufacturers and integrators.

ISO 27001 covers wider scope but does not satisfy CMMC or Cyber Essentials

ISO/IEC 27001 is the international management-system standard for information security. Its scope is broader (risk-based ISMS across the whole organisation) than either CMMC (specific control set on systems handling CUI) or Cyber Essentials (five prescriptive technical controls). A mature ISO 27001 ISMS:

supports CMMC evidence collection on many of the 110 NIST SP 800-171 practices, especially in the risk assessment, security assessment, and incident response families,
supports Cyber Essentials evidence collection on configuration management, access control, and update management,
does not by itself deliver either certificate.

Cross-mapping tables exist between NIST SP 800-171 and ISO 27001 Annex A controls, but they are not formally recognised as reciprocity by the DoD or by IASME.

NIS 2 Directive and DORA: adjacent EU regimes

For organisations with EU exposure, two adjacent regimes overlap with CMMC and Cyber Essentials in scope of effort without delivering reciprocity:

NIS 2 Directive (Network and Information Security Directive 2, EU Directive 2022/2555), in force since January 2023 and transposed nationally through 2024, applies to essential and important entities including some manufacturers and integrators in the digital infrastructure and ICT service sectors.
DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554), applicable since January 2025, applies to financial entities and their critical ICT third-party providers.

Both impose corporate cybersecurity assurance regimes structurally comparable to CMMC and Cyber Essentials, but with EU jurisdictional scope and their own assessment routes. A manufacturer touching multiple regimes faces a multiplied compliance overhead, with strong evidence-reuse opportunities but no formal reciprocity.

Product cyber versus corporate cyber

This is the single most frequent scoping confusion in the electronics manufacturing sector. CMMC, Cyber Essentials, and adjacent corporate cyber regimes (NIS 2, DORA, ISO 27001) are about the contractor's own IT and OT environment, not about the product delivered to the customer. They cover access control, audit logging, incident response, configuration management of corporate systems.

Product-side cybersecurity for radio-enabled and connected products is governed by a different set of regimes:

in the EU, Radio Equipment Directive (RED) Article 3(3)(d), (e), (f) delegated acts, with harmonised standard EN 18031 applicable since August 2025 (covered in RED Article 3(3)(d-f) cybersecurity),
in the EU, the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847), covered in Cyber Resilience Act (CRA),
for industrial automation, IEC 62443 family of standards,
for consumer IoT, ETSI EN 303 645, covered in EN 303 645 IoT cybersecurity,
for cryptographic modules, FIPS 140-3, covered in FIPS 140-3 cryptographic modules,
for higher-assurance product certification, Common Criteria (ISO/IEC 15408), covered in Common Criteria ISO 15408, and the French national scheme CSPN in CSPN ANSSI.

A defense supplier must address both axes: corporate cyber via CMMC and Cyber Essentials, plus product cyber via the applicable product-side regime. Conflating the two is the typical entry-level scoping error.

Recurring pitfalls

Several errors recur in CMMC and Cyber Essentials projects led by electronics manufacturers and integrators.

Confusing CMMC with product cybersecurity. CMMC governs the contractor's own corporate IT environment, not the product. Implementing IEC 62443 on a product line does not contribute to CMMC compliance, and vice versa.
Missing or incomplete System Security Plan (SSP). The SSP is the foundational scoping document of any NIST SP 800-171 / CMMC Level 2 file. It defines the boundary of the in-scope environment, the data flows, the inventory of CUI assets, and the implementation of each of the 110 practices. A missing or weak SSP is the most common cause of assessment failure.
POA&M items left to expire. A conditional CMMC certification becomes void if POA&M items remain unremediated at the 180-day deadline. Organisations underestimate the remediation effort and lose the conditional certificate, triggering full re-assessment.
Cyber Essentials Plus failing on an unpatched browser. The Plus audit's browser and email client configuration test catches devices with outdated browser versions. A single non-conforming sampled device can fail the entire audit. Patch management on end-user devices must be tight in the weeks ahead of the audit.
IASME assessor turnover causing re-assessment overhead. When the original IASME-certified assessor moves to another certification body or leaves the network, continuity of relationship is lost. Renewal at the same body is recommended where the assessor relationship is operationally critical.
Scoping the in-scope environment too broadly or too narrowly. Too broad an SSP boundary multiplies the evidence burden across the whole organisation; too narrow risks excluding systems that touch CUI and invalidating the certification. Scoping reviews with experienced consultants in the months ahead of assessment pay off heavily.
Assuming a high SPRS score guarantees CMMC Level 2 certification. The SPRS self-assessment uses the same 110 practices but a less rigorous evidence standard than a C3PAO assessment. A score of 105 in SPRS does not guarantee a passing C3PAO assessment if evidence on the underlying practices is thin.
Treating ISO 27001 as a substitute. Neither scheme accepts ISO 27001 as equivalent. ISO 27001 supports evidence collection but does not deliver the certificate. Organisations with ISO 27001 still need to undergo CMMC and Cyber Essentials separately.
Missing renewal cycles. Cyber Essentials and Plus expire annually; CMMC Level 2 and Level 3 expire after three years. Letting either expire breaks contract eligibility. Renewal must be planned three to six months ahead of expiry.
Underestimating BYOD scoping for Cyber Essentials. Bring-your-own-device endpoints used for corporate email or VPN access are in scope of Cyber Essentials. Many organisations discover this late and find that BYOD devices fail the technical controls (unmanaged firewalls, unsupported OS versions).

Key takeaways

CMMC 2.0 is the US DoD baseline for the Defense Industrial Base, anchored in 32 CFR Part 170 (effective December 2024) and DFARS 252.204-7021 (phased through 2027). Three levels: L1 Foundational (15 practices from FAR 52.204-21, self-assessment), L2 Advanced (110 practices from NIST SP 800-171 Rev 2, C3PAO or self-assessment depending on contract), L3 Expert (subset of NIST SP 800-172, DIBCAC assessment).
Cyber Essentials is the UK baseline under NCSC governance via the IASME Consortium (sole accreditation body since 2020), based on five technical controls (firewalls, secure configuration, user access control, malware protection, security update management). Required for many UK government contracts since 2014.
Cyber Essentials Plus adds a hands-on technical audit (vulnerability scans, malware test, browser/email configuration test) by an IASME-certified assessor.
Both schemes are about the contractor's corporate IT environment, not the product. Product cybersecurity is governed elsewhere: RED Article 3(3)(d-f), CRA, IEC 62443, EN 303 645, FIPS 140-3, Common Criteria.
ISO 27001 supports evidence collection in both schemes but delivers no formal reciprocity.
No mutual recognition between CMMC and Cyber Essentials. A transatlantic supplier needs both.
POA&M under CMMC 2.0 allows a conditional certification provided items are remediated within 180 days; expiry voids the certification. Critical practices are not POA&M-eligible.
Renewal: 12 months for Cyber Essentials and Plus, 3 years for CMMC Level 2 (C3PAO) and Level 3 (DIBCAC). Renewal planning must start months ahead.
For a wider regulatory map of cybersecurity certifications, see Cyber Resilience Act (CRA), EN 303 645 IoT cybersecurity, FIPS 140-3 cryptographic modules, Common Criteria ISO 15408, CSPN ANSSI, RED checklist, and the Glossary for definitions.

Sources & references

CMMC 2.0 Program, 32 CFR Part 170 , Office of the Federal Register www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170
DFARS 252.204-7021, Contractor Compliance with the CMMC Level Requirement , Defense Acquisition Regulations System www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirement
NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems , National Institute of Standards and Technology csrc.nist.gov/pubs/sp/800/171/r2/final
NIST SP 800-172, Enhanced Security Requirements for Protecting CUI , National Institute of Standards and Technology csrc.nist.gov/pubs/sp/800/172/final
NCSC Cyber Essentials scheme , National Cyber Security Centre www.ncsc.gov.uk/cyberessentials/overview
IASME Consortium, Cyber Essentials delivery partner , IASME Consortium iasme.co.uk/cyber-essentials/
DoD CIO, CMMC Program Resources , Department of Defense Chief Information Officer dodcio.defense.gov/CMMC/