CMMC Services
If your organisation works with - or plans to work with - the U.S. Department of Defense, understanding and preparing for CMMC is essential. This certification is quickly becoming a requirement, and your ability to win contracts may depend on achieving the right cyber security maturity level...
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a cyber security framework developed by the U.S. Department of Defense (DoD) to strengthen the protection of sensitive information across the supply chain. It introduces mandatory certification for certain contractors, ensuring that they are not only meeting cyber security standards, but that those standards have been externally validated.
If your organisation is working on US DoD contracts that involve sensitive data, CMMC is fast becoming a non-negotiable requirement.
Why CMMC matters
Much like the Defence Industry Security Program (DISP) here in Australia, CMMC was put in place to protect the U.S. DoD supply chain, ensuring that contractors uphold strong cyber security standards and practices.
By requiring robust cyber security practices, CMMC helps mitigate the risk of data breaches for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
CMMC adds a layer of accountability through self-assessment and/or third-party certification, thereby ensuring compliance is maintained.
Since the 10th of November 2025, the DoD has been introducing CMMC requirements into new contracts through a phased rollout. Therefore, it’s important that any businesses that are supplying to the U.S. DoD (or aspiring to) are aware of what will be required from a security perspective.
Who needs CMMC?
If your organisation is an Australian company (or any non-US entity) that is part of the U.S. DoD supply chain, such as a subcontractor or supplier to a prime on DoD programs, you may be required to meet CMMC requirements. For example:
-
Organisations handling Federal Contract Information (FCI) may require CMMC Level 1.
-
Organisations handling Controlled Unclassified Information (CUI) will typically require CMMC Level 2.
-
Contractors supporting high-sensitivity programs may require CMMC Level 3.
Please note: Not all Level 2 contracts require third-party certification. Some allow self-assessment, depending on the sensitivity of the work.
CMMC maturity levels
CMMC requirements rollout timeline
The following timeline of CMMC requirements is based on the update released by the DoD on the 10th of November 2025:
From
November 2025:
Level 1 and Level 2 (self-assessment) requirements begin appearing in contracts.
From
November 2026:
Level 2 third-party certifications become more widespread.
From
November 2027:
Level 3 assessments
begin for select contracts.
By 2028:
Implementation is expected across all DoD contracts.
Businesses already working with CUI must continue to meet all DFARS and NIST SP 800-171 security obligations, requirements that remain mandatory no matter which CMMC level applies.
How De Stefano & Co can help
Expert strategy and advice
Our expert team - which includes a CMMC Registered Practitioner (RP) - can help you to determine whether CMMC applies to your organisation, identify which maturity level you should target, and explain how the certification affects your contract pipeline. Our guidance can align CMMC requirements with your broader security and commercial objectives.
Detailed gap analysis
Our team conducts comprehensive gap analyses against the requirements of CMMC Levels 1, 2, or 3, using best-practice frameworks drawn from NIST SP 800-171. We can identify deficiencies, prioritise remediation activities, and develop a tailored roadmap to improve your cyber security posture.
DISP membership alignment
For organisations who hold DISP membership, we can map your existing DISP maturity against CMMC obligations. This helps minimise duplication, reduce cost, and leverage your DISP-aligned documentation, processes, and controls toward CMMC readiness.
Assessment preparation
We can support your team in gathering evidence, preparing documentation, and strengthening internal processes to meet audit expectations. Whether your assessment is a self-assessment, C3PAO audit, or DoD-led review, we will ensure you are well-prepared.
Ongoing compliance support
Compliance doesn’t end at certification. We provide ongoing advisory services, continuous monitoring support, and updates on changes to DoD requirements, DISP, or NIST standards to keep your organisation contract-ready over time.
Why choose De Stefano & Co?
-
We have deep expertise across Australian and US cyber security frameworks, and we’re #1 in DISP membership attainment and compliance services, nationwide.
-
Our team has over 250 years of combined Defence and defence industry experience working in Defence Primes, Managing Contractors and SMEs, giving us an unrivalled understanding of the defence industry and its compliance expectations.
-
We’re a trusted source of defence security education and guidance to Government, academia, industry associations and their members across Australia.
-
We provide tailored, independent and impartial advice, ensuring that our client’s best interests ALWAYS come first.
-
De Stefano & Co were named 2025 Cyber Business of the Year at the Australian Defence Industry Awards.