Cybersecurity Maturity Model Certification
CMMC is a program developed by the Department of Defense (DoD) to clearly define cyber protection standards for companies in the defense industrial base (DIB). It is meant to enable DIB companies to meet evolving threats and to safeguard information supporting the DoD. The purpose of CMMC is to protect federal contract information (FCI) and controlled unclassified information (CUI) by creating an IT infrastructure standard for all DoD contractors to abide by.
CMMC Program
The CMMC program includes certification requirements administered by the CMMC Accreditation Body (CMMC AB). The CMMC-AB is responsible for vetting and certifying individuals and organizations that will have authority to perform assessments, training, and development of training materials within the CMMC framework.
On November 4, 2021, the DoD announced CMMC 2.0. The new version simplifies and streamlines the framework from five levels of certification to three levels. It also now aligns its requirements with the existing NIST 800-171 (for Levels 1 & 2) and 800-172 (for Level 3) guidelines while eliminating unique CMMC 1.0 requirements.
The implementation of CMMC requirements is divided into four phases. Phase 1 begins on November 10, 2025, when applicable solicitations will require Level 1 or 2 self-assessments. Phase 2 begins November 10, 2026, when applicable solicitations will require Level 2 Certifications. Phase 3 begins November 10, 2027, when applicable solicitations will require Level 3 Certifications. Phase 4 begins November 10, 2028, when all solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. When fully implemented, it is expected that more than 300,000 contractors will need to meet the CMMC Level 1 requirements, more than 80,000 will need to meet the CMMC Level 2 requirements, and more than 1,500 will need to meet the CMMC Level 3 requirements.
PROCAS and CMMC
At PROCAS, cybersecurity is of the utmost importance. SOC 2 Type 2 audits are performed annually by an independent audit firm. Once the CMMC was announced in late 2019, the PROCAS executive team took the initiative to have our environment evaluated against the published CMMC standards, and to implement enhancements to our policies, procedures and processes to meet CMMC requirements. We expanded the scope of our annual SOC 2 Type 2 audits to expand audit activities to also encompass CMMC requirements.
These standards are continually assessed and updated to meet the needs of CMMC protocol. As a third-party provider of accounting software for government contractors, we believe it is important to hold ourselves to the same standard of cyber security as our clients.
PROCAS was awarded a CMMC Level 2 Certification in 2025 after an independent assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO). By securing this status early, PROCAS joins an elite group, representing the first fraction of 1% of the 80,000 companies expected to seek a CMMC Level 2 certification, underscoring our proactive commitment to federal security standards.