The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense framework that certifies a defense contractor's cybersecurity posture against tiered control sets, with the assessment performed by an accredited third-party assessment organization (a "C3PAO") and the certification gating the contractor's eligibility to bid on or perform Department of Defense contracts that involve Controlled Unclassified Information (CUI). The framework as of the current rollout has three certification levels — Level 1 (foundational, self-attestation for Federal Contract Information), Level 2 (advanced, third-party assessment for CUI, aligned to NIST SP 800-171), and Level 3 (expert, government-led assessment for the most sensitive CUI workloads). Level 2 certification is the most operationally consequential because it is the gate for the majority of CUI-handling DoD contracts and is the level at which third-party assessment first applies.
From a customer-success and testimonial-wall perspective, a CMMC certification is structurally different from the commercial-compliance milestones covered elsewhere in this series, including SOC 2, ISO 27001, HIPAA, PCI DSS, and FedRAMP. The structural difference is that CMMC operates within the U.S. defense acquisition regulatory regime — the Defense Federal Acquisition Regulation Supplement (DFARS) and the underlying CUI marking and dissemination rules — rather than within a commercial or healthcare regulatory regime. The defense regime imposes constraints on what a vendor may publicly disclose about a customer's CMMC posture, what wording may be used in marketing materials, and how the customer's defense-prime relationships may be referenced. A vendor that treats CMMC like a commercial-compliance milestone is at risk of producing testimonial content that violates DFARS clauses, exposes CUI markings, or compromises the customer's standing with its DoD program offices.
This guide separates the CMMC certification timeline into four phases, explains what changes for the testimonial wall in each phase, and provides per-phase playbooks. The phases are structured around the readiness assessment, the formal C3PAO assessment, the certification award, and the post-award maintenance period.
The four phases of a CMMC certification
A CMMC certification, from the start of formal readiness work to the issuance of the certification by the C3PAO, typically runs 12 to 24 months for first-time Level 2 certification and 6 to 12 months for re-certification on the standard three-year cycle.
Phase 1: Readiness assessment and gap remediation. The customer engages a registered practitioner organization or internal team to conduct a readiness assessment against the 110 NIST SP 800-171 controls. The assessment produces a System Security Plan (SSP), a Plan of Action and Milestones (POA&M) document, and a remediation roadmap. The phase typically runs 6 to 12 months and is characterized by intensive control implementation work — multifactor authentication on all CUI-touching systems, FIPS-validated encryption, audit logging, incident response procedures, and configuration management.
Phase 2: Formal C3PAO assessment. The customer engages a CMMC Third-Party Assessment Organization to conduct the formal assessment. The assessment is conducted on-site or remotely against the certification level's control set and includes interviews, document review, and technical testing. The assessment results in either a recommendation for certification, a conditional certification (limited POA&M permitted at certain control points), or a finding of non-certification. The phase runs 4 to 12 weeks from kickoff to draft report.
Phase 3: Certification award and DoD acquisition system entry. The C3PAO submits the assessment results to the Cyber Accreditation Body, which issues the formal CMMC certificate. The certificate is recorded in the Supplier Performance Risk System (SPRS), making the contractor's CMMC status discoverable by DoD contracting officers. The certification award marks the transition from readiness work to operational use of the certification as a contract-bidding credential.
Phase 4: Three-year maintenance and surveillance. The CMMC certification is valid for three years, with an annual self-attestation requirement for Level 2 and a more rigorous government-led surveillance for Level 3. During the maintenance period, the customer must sustain the assessed control implementations and report any cybersecurity incidents that may affect the certification's continued validity.
Each phase has its own testimonial-wall risks. The biggest mistake is to treat CMMC like a commercial-compliance milestone and produce testimonial content that violates DFARS marking rules or that compromises the customer's CUI handling posture.
Per-phase playbook for the testimonial wall
Phase 1: Readiness assessment and gap remediation
During the readiness phase, the customer is in active control-implementation work and the formal CMMC posture is undetermined. The testimonial wall faces a premature-claim risk during this phase.
First, do not publish testimonials that imply the customer is "CMMC certified" or "CMMC compliant" before the formal certificate is issued. The CMMC framework reserves the term "certified" for contractors that have received the formal C3PAO assessment recommendation and the corresponding CyberAB certificate. A testimonial that claims certification during the readiness phase is at risk of being inaccurate and, in the DoD contracting context, of being construed as a false statement on contracting documents.
The remediation is to use readiness-accurate language. Acceptable phrasings include "the customer is preparing for its CMMC assessment," "the customer has implemented the NIST SP 800-171 control framework in advance of its CMMC assessment," or "the customer's cybersecurity posture aligns with the CMMC Level 2 control requirements." None of these phrasings claim a certification that has not yet been issued.
Second, do not reference specific DoD prime contractors or program offices in testimonial copy unless the customer has explicit written authorization. DFARS includes clauses that restrict a subcontractor's right to publicize its relationship with a prime contractor or with a specific DoD program. A testimonial that names the customer's defense-prime relationships ("Customer X provides cybersecurity services to Prime Y on Program Z") may violate the underlying contracting clauses and expose both the vendor and the customer to remediation requirements from the prime or the program office.
The remediation is to keep defense-relationship references generic in the absence of explicit authorization. "The customer serves the U.S. defense industrial base" or "the customer supports Department of Defense missions" are generally permissible; "the customer is a subcontractor to Lockheed on the F-35 program" generally is not, except where the customer has confirmed in writing that the specific reference is permitted by its prime-flowdown clauses.
Third, audit existing testimonials for CUI exposure. Some pre-CMMC testimonials may include details about the customer's data-handling architecture or its specific defense workloads. The remediation is to review the testimonials and remove any content that could be construed as identifying CUI or as describing controls in sufficient specificity to assist a threat actor. The audit is most efficient when conducted jointly with the customer's CMMC consultant or assessor.
Phase 2: Formal C3PAO assessment
During the formal assessment phase, the certificate has not yet been issued and the C3PAO is actively evaluating the customer's controls. The testimonial wall faces an assessment-outcome risk during this phase.
Assessment-outcome risk. The C3PAO assessment may result in a recommendation for certification, a conditional certification (with a POA&M for limited gap items), or a finding of non-certification. A testimonial that anticipates a positive outcome before the assessment is complete is at risk of misrepresentation if the outcome differs.
The remediation is to defer assessment-outcome testimonials until the C3PAO has submitted its final report. Pre-report testimonials should describe the customer's pre-assessment posture in present-perfect-tense control-implementation language ("the customer has implemented..."), not in future-tense outcome language ("the customer will be certified...").
Queue Phase 3 testimonial-collection prompts. The most productive moment for testimonial collection on CMMC is the moment the certificate is recorded in SPRS, because the recording makes the certification publicly verifiable and gives both the customer and the vendor a definitive reference point.
Phase 3: Certification award and DoD acquisition system entry
The certification award is the moment at which the customer can be accurately described as "CMMC certified at Level X." The testimonial wall faces a verification-and-reference risk during this phase.
Verification anchoring. The CMMC certificate is recorded in SPRS, which is the authoritative source for the contractor's CMMC status. Testimonials that reference the certification should anchor to the SPRS record (the certificate identifier and the certification date) rather than to internal customer communications, vendor marketing materials, or press releases. The SPRS anchor is the most verifiable reference and is the source a DoD contracting officer would consult.
Reference structure. The CMMC certification testimonial should include: the certification level (Level 1, Level 2, or Level 3), the certification date, the C3PAO that performed the assessment, and the customer's defense-industrial-base posture in generic terms (e.g., "a Tier 2 defense supplier"). The level and date are the operationally relevant data points for prospects evaluating the vendor.
Avoid scope-creep claims. A common testimonial mistake is to imply that the CMMC certification covers a broader scope than it actually does — for example, claiming "all of Customer X's systems are CMMC certified" when only the CUI-handling systems are in scope. The remediation is to constrain testimonial copy to the actual certified scope: "the customer's CUI-handling systems are CMMC Level 2 certified" rather than "the customer is CMMC certified."
Phase 4: Three-year maintenance and surveillance
During the maintenance period, the customer must sustain the assessed controls and the certification is valid only as long as the maintenance is in good standing. The testimonial wall faces a continuity-claim risk during this phase.
Continuity-claim risk. A CMMC certificate has an expiration date and may be revoked or suspended if the customer experiences a material cybersecurity incident or fails the annual self-attestation. A testimonial that implies the certification is permanent is at risk of being inaccurate over time. The remediation is to include the certification date in the testimonial copy and to refresh the copy on a roughly annual cadence with the customer's confirmation that the certification remains in effect.
Incident-disclosure interaction. Under DFARS 252.204-7012, a defense contractor must report cybersecurity incidents to the DoD within 72 hours of discovery. The reporting is a separate process from CMMC, but a vendor that has published testimonials about the customer's cybersecurity posture should be alert to the possibility that a disclosed incident may make prior testimonial claims about the customer's "robust" or "best-in-class" cybersecurity look inaccurate in hindsight. The remediation is to use posture-descriptive language ("certified at CMMC Level 2," "operating the assessed control set") rather than evaluative language ("the most secure," "industry-leading") that incident disclosures can retroactively undermine.
Cross-cutting considerations
Three cross-cutting considerations apply across all phases.
Consideration 1 — CUI marking discipline. Any testimonial content that touches the customer's CUI handling — even at a high level — should be reviewed for CUI marking implications. The CUI program has formal marking categories (CUI//SP-SR for source selection, CUI//SP-PROC for procurement, etc.) and inadvertent disclosure of category-specific content can require formal remediation. The general rule is to keep testimonial content at the architectural and control-framework level rather than at the workflow or data-content level.
Consideration 2 — flowdown clause compatibility. The DFARS cybersecurity clauses flow down from prime contractors to subcontractors at multiple tiers. A vendor's testimonial about a Tier 3 subcontractor may interact with the flowdown clauses imposed by the Tier 2 prime and the Tier 1 prime above that. The conservative posture is to seek customer review of all CMMC-related testimonial copy before publication and to incorporate any prime-imposed redaction requirements.
Consideration 3 — international subsidiary handling. Some defense contractors have non-U.S. subsidiaries that do not handle CUI and are not in CMMC scope. Testimonials about the customer's CMMC certification should be precise about which legal entities are certified and should avoid implying that the parent group as a whole is in scope when only a U.S. subsidiary is.
Putting it together
A CMMC certification is one of the highest-value testimonial moments in the defense industrial base because the certification is structurally hard to obtain, is third-party verifiable through SPRS, and is a direct gate to a multi-billion-dollar DoD addressable market. The high value justifies the per-phase playbook discipline described above. Vendors that treat CMMC as a routine commercial-compliance milestone produce testimonial content that is at risk under DFARS, the CUI marking rules, and the prime-flowdown clauses; vendors that follow a phase-aware playbook produce testimonial content that captures the value of the milestone without inheriting the regulatory risk.
For related defense and government-sector compliance milestones, see the FedRAMP authorization guide, which covers federal civilian cloud authorizations with a parallel phase structure, and the SOC 2 audit guide, which covers the commercial-sector analog and the cross-walk between commercial and defense control frameworks. For broader best-practices on the testimonial wall, see how to verify testimonial authenticity.