Weston Solutions, Inc. has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2, confirming our ability to protect Controlled Unclassified Information (CUI) in support of U.S. Department of Defense (DoD) programs.
We’re among the first 1% of DoD contractors to earn CMMC Level 2 certification.
What Does This Mean For Clients?
Cybersecurity Maturity Model Certification (CMMC) is the DoD program designed to verify that contractors and subcontractors have implemented required cybersecurity measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC requirements are now being phased into DoD solicitations and contracts through the Defense Federal Acquisition Regulations Supplement (DFARS), including key clauses such as DFARS 252.204 7021.
CMMC Level 2 is the DoD standard for safeguarding CUI. It’s aligned to National Institute of Standards and Technology (NIST) SP 800‑171 Rev. 2, which requires contractors both implement these safeguards and demonstrate they are operating effectively through the appropriate assessment pathway (self‑assessment or an independent C3PAO assessment, based on contract requirements).
CMMC has moved from “planning” to “execution.” The DoD’s acquisition rule took effect on November 10, 2025, launching a phased rollout of CMMC requirements across DoD contracts.
Weston pursued certification early so clients and teaming partners can move forward with confidence when cybersecurity requirements are a condition of award.
CMMC requirements are entering contracts. Weston is already Level 2 certified.
CMMC status is maintained based on the assessment type and includes ongoing affirmations of continuous compliance. Level 2 certifications have a 3‑year cycle that includes annual self-assessment affirmations.
Yes. CMMC requirements can flow down to subcontractors based on the type of information being processed, stored, or transmitted.
The required level is specified by the government in the solicitation and resulting contract.
CMMC is a DoD program, but the underlying controls and expectations often influence broader federal and regulated supply chains that require disciplined protection of sensitive information.
