Your organization’s data is perhaps your most valuable asset. Protecting its security, confidentiality, and integrity is key to keeping your organization safe. This need to preserve information gets even more pronounced when you work with the Department of Defense (DoD), the United States of America, which values Cybersecurity Maturity Model Certification (CMMC) Compliance.
The CMMC ensures adherence to DoD cybersecurity standards and helps DoD contractors implement necessary cybersecurity practices.
Your compliance with the CMMC program is key to demonstrating your ability to handle DoD data securely.
If you are a service provider for the DoD or a sub-contractor to one of the DoD’s prime contractors or are going to enter the Defense Industrial Base (DIB) sector, then CMMC certification will be a prerequisite. Here’s a lowdown on the CMMC compliance program, its asks, and the way to go about it.
- CMMC compliance has three levels: level 1 focuses on basic hygiene, level 2 on intermediate to advanced cyber practices, and level 3 on comprehensive security practices and controls.
- To get CMMC certified, understand your level, appoint an officer, track CUI, develop a plan, mitigate risk, and continuously monitor.
- CMMC 2.0 reduces from 5 levels to 3, aligns better with NIST, allows annual self-assessment for Level 1 and some Level 2, and reduces complexity and costs while maintaining robust cybersecurity requirements.
What is CMMC compliance?
The Cybersecurity Maturity Model Certification, CMMC for short, is a unified cybersecurity framework developed by the Department of Defense, USA, to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at every step across the DoD’s supply chain.
The CMMC program standardizes the requirements for cybersecurity practices and helps the Department of Defense (DoD) determine the extent to which organizations have incorporated these practices. CMMC compliance, therefore, provides the DoD with assurance that its contractors and subcontractors meet its cybersecurity requirements and have the wherewithal to protect sensitive data.
It also helps organizations that constitute the Defense Industrial Base (DIB) assess their current security posture, identify security gaps, optimize their processes, and maintain cyber hygiene per DoD’s requirements.
Why is CMMC compliance crucial for organizations?
CMMC compliance is critical for winning defense contracts. More than a checklist, CMMC helps organizations become audit-ready, maintain government compliance, and build secure systems that meet the regulatory expectations of federal defense programs.
Its primary goal is to protect sensitive government information, including FCI and CUI, while also strengthening the security of the defense supply chain.
Get CMMC compliant with ease
CMMC 2.0: What are the Key Updates?
CMMC 2.0 is the DoD’s most recent iteration (released in November 2021) of the cybersecurity maturity model. Instead of the five levels in CMMC 1.0, it has streamlined requirements to three levels of cybersecurity: Foundational, Advanced, and Expert.
These changes also promote clearer policy enforcement, making it easier for organizations to adopt and scale cybersecurity practices.
Who needs to comply with CMMC?
CMMC certification is for organizations that handle/work with DoD information. The compliance level will depend on the type of information the organizations are privy to. For instance, if the organization operates with non-classified DoD information, it may only need a Level 3 clearance or below. A Level 4 clearance or higher is needed if it handles high-value information. An interesting aside here – these classifications are project-based.
All defense contractors will be required to have a CMMC certification. This includes:
• Small businesses
• Contractors that do or do not possess CUI or FCI
• Subcontractors
• Commercial contractors
CMMC applies only to DoD contracts, not all US government contractors.
To become CMMC certified, companies must implement and pass an external CMMC assessment by authorized and accredited CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs must be accredited by the Cyber AB (formerly CMMC Accreditation Body). Check their marketplace for a list of accredited C3PAOs.
During the assessment, organizations must produce documented evidence for the required processes and practices and demonstrate the necessary capabilities.
Successful assessments result in the issuance of CMMC certificates to the DIB organization at an appropriate maturity level. Wondering what the maturity levels are? We’ve covered that in the later section.
CMMC compliance requirements will appear in all contracts starting in the fiscal year 2026. This means DoD contractors will need to comply to bid on such work.
You may also like to read: PCI DSS certification
What are the different CMMC compliance levels?
The framework has three different CMMC compliance levels against which DoD assesses DoD contractors and subcontractors on how well their systems safeguard sensitive government data. These assessments help determine the maturity and effectiveness of their cybersecurity practices.
Naturally, this change makes it easier for organizations to adopt the minimum cybersecurity requirements appropriate to the sensitivity of the data they handle.
Note: The previous five-level structure: Basic, Intermediate, Good, Proactive, and Progressive Cyber Hygiene is no longer applicable. CMMC 2.0 focuses less on process maturity and more on actual implementation. And because each level builds on the ones below, contractors pursuing Level 3 must also meet the complete requirements of Levels 1 and 2.
Here are the three current CMMC compliance levels:
CMMC Level 1 (Foundational)
This level remains applicable to organizations with FCI only and requires them to incorporate the same 17 basic safeguarding practices. Level 1 organizations don’t process and transmit CUI, and will have to self-certify that they comply with the 17 practices annually. The CMMC self-assessment should be completed using the CMMC Assessment Guide for the appropriate CMMC level.
Falsely certifying under Level 1 could result in fraud claims under the False Claims Act.
CMMC Level 2 (Advanced)
This level applies to companies that handle CUI and FCI. It is the same as Level 3 of CMMC 1.0 but with a reduced number of practices. It now includes 110 practices from NIST SP 800-171r2 and will require most organizations to undergo third-party assessments every three years. Depending on the type of information, some organizations may need to demonstrate compliance through self-assessments.
Also, CMMC 2.0 will allow organizations to receive contract awards with a time-bound Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements.
CMMC Level 3 (Expert)
This level combines the former CMMC 1.0 Levels 4 and 5, and applies to organizations that handle the highest priority programs with CUI. Similar to Level 2, organizations at Level 3 will also need to pass an assessment every three years.
The DoD has expressed that it does not intend to approve the inclusion of a CMMC requirement in any contract before completing the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC 2.0 framework. The DoD’s estimate for completing that process is 9-24 months from November 2021.
What are the CMMC Compliance requirements?
To comply with the CMMC framework, you have to implement a number of security practices based on your level. Level 1 includes 17 practices under six domains. To comply with Level 2, you have to implement 110 practices grouped under 14 domains.
All domains are listed below:
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Access Management (AM)
- Maintenance (MA)
- Security Assessment (CA)
- Awareness and Training (AT)
- Media Protection (MP)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Communications (SC)
- Configuration Management (CM)
- Physical Protection (PE)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
- Recovery (RE)
- Situation Awareness (SA)
All DoD suppliers will have to be certified to the appropriate CMMC level to continue doing business with DoD under the mandated CMMC requirements. NSF-ISR was named one of the first C3PAO candidates to participate in the CMMC program.
Giles suggests that organizations start the CMMC process with a fundamental question: Does my organization have controlled unclassified information? This information created or owned by the government needs to be safeguarded and released only under proper, legal, and regulated controls, such as parts for a new defense aircraft or specifications for military uniforms.
How to get CMMC compliant? The 10 step process
Getting CMMC compliant starts with determining your requirement level, appointing a compliance manager, and ending with continuous compliance monitoring. The end-to-end process requires time, effort, expertise, and dedication.
We spoke to our in-house auditors to summarize the CMMC compliance checklist to help you get started.
Step 1: Determine your requirement level
The controls applicable to your business depend on your organization’s maturity level. Each level builds on the previous one, so knowing the right one is critical.
Step 2: Appoint a compliance manager
Select someone to oversee the CCMC compliance activities. This person will collaborate with external stakeholders, develop the right policies to meet the organization’s objectives, ensure that all activities align with the CMMC checklist, and develop a timeline for each activity.
Step 3: Collaborate, communicate, and document
Understand the people, processes, and technologies in your infrastructure. Know who is responsible for handling which sensitive system and the systems in place to protect it. Coordinate with all functions to develop a unified channel to communicate compliance efforts. Document the roles of contractors and third-party stakeholders.
Step 4: Track the CUI flow within your systems
You should know where and how it flows within your IT environment to protect CUI. Once identified, reduce its storage across endpoints to the fewest devices.
Reducing the CUI footprint means you have fewer endpoints to protect, which in turn helps you achieve compliance faster and reduce the cost. Once reduced, identify all systems and data processing CUI and create an inventory. Develop a network diagram to visualize data flow within and outside your organization’s perimeter.
Step 5: Develop an SSP and PoA&M
An SSP or a system security plan documents the policies, processes, and measures you have adopted. Review and update the roadmap as and when you change a process, implement a new policy, or adopt a new technology. It should include the selected controls and security practices you plan to implement.
Develop a Plan of Actions & Milestones (POA&M), a document to track the progress of your CMMC compliance checklist. It should include gaps found during the audit, corrective actions, and timelines for completing the action items.
Step 6: Conduct an internal assessment
Conduct a self-assessment to evaluate the progress and effectiveness of the implemented controls using the CMMC self-assessment guide. Develop a SAR (security assessment report) to document your findings and include suggested actions for improvement.
Step 7: Submit your documents to the SPRS
The Supplier Performance Risk System (SPRS) is a central repository of all CMMC documents. Submit your SSP, SAR, and POA&M to the SPRS. Also, share your self-assessment score to help the Department of Defense evaluate your posture and progress.
Step 8: Address and remediate existing risks
Use your self-assessment result to close existing gaps. Use the POA&M as a guide to implement the remaining controls and measures. Once you have remediated the risks, submit the SSP, SAR, and POA&M to the SPRS again. Now you have an updated score.
Step 9: CMMC certification
Connect with a CMMC 3rd Party Assessment Organization (C3PAO) to communicate your status and set a timeline. The C3PAO will evaluate your progress and create a detailed report of its findings.
Once the report is verified by the CMMC Assessment Process (CAP), it will be uploaded to the CMMC Enterprise Mission Assurance Support Service (EMASS) for further review by the DoD.
Step 10: Continuous monitoring
Your CMMC framework implementation does not end at certification. To maintain your certification, you must regularly update your training materials, review policies, update documents, and ensure that all controls and measures function as intended.
Apart from monitoring, you must conduct internal assessments and update the results to the SPRS to ensure compliance.
How much does implementing CMMC compliance cost?
Implementing CMMC compliance varies by maturity level: Level 1 costs $1,000 annually, Level 2 costs $25,000, and Level 3 costs around $50,000.
Here is a breakdown of CMMC Certification costs.
| Category | Details/Range |
| Gap assessment | $3.5k to $20k |
| Remediation | $35,000 to $115,000 |
| Audit | $20,000 to $40,000 |
| Consulting | $250 to $400 per hour |
| CUI enclave | $300 to $4,000 per month per user |
For more information, look at our compliance cost calculator and compliance effort calculator.
Preparing for CMMC with Sprinto
While there isn’t much clarity on the timelines (expected May 2023), it isn’t a reason enough to pause the preparations. Instead, it is time to streamline your organization’s processes and controls to achieve CMMC.
Sprinto is built to automate your cybersecurity compliance requirements intelligently. With its in-app integrated risk assessment and gap analysis, your journey with Sprinto needn’t end with completing the certification process. Sprinto offers a real-time continuous monitoring feature that can free up your engineering leadership’s time to pursue the organization’s more productive growth needs, a must-have for your CMMC certification.
As your organization grows, you can add more cybersecurity frameworks, such as SOC 2, PCI DSS, GDPR, and ISO 27001, building on the already-implemented security controls.
Talk to us today to get the proper assistance in achieving CMMC compliance.
FAQs
Is the NIST standard the same as CMMC?
Not exactly. NIST 800-171 is a set of standards created by the National Institute of Standards and Technology (NIST), while CMMC is the process organizations go through to meet those standards. The differences get more detailed when you dive into the federal guidelines, but that’s the basic distinction.
What’s the difference between CMMC Level 2 and Level 3?
CMMC 2.0 Level 2 is pretty much the same as CMMC 1.02 Level 3, based on NIST SP 800-171. It includes all 14 domains and 110 security controls from CMMC 1.02 but removes the 20 unique Level 3 practices and processes specific to CMMC 1.02.
How much does CMMC certification cost?
CMMC certification costs vary depending on the organization’s size and the level of certification needed. They typically range from $3,000 to $60,000 and include factors like assessment fees, preparation, and potential remediation.
What is the difference between CMMC and NIST?
CMMC certifies DoD contractors with specific cybersecurity maturity levels, focuses on certifying compliance, and requires third-party assessments. NIST provides comprehensive cybersecurity guidelines, best practices, standards, and frameworks for various sectors, but generally relies on self-assessment.
How long does a CMMC assessment take?
A CMMC assessment typically takes several weeks, depending on the organization’s size and complexity. Preparation, documentation review, and the actual audit process contribute to the timeline, which can range from a few weeks to a couple of months.
Anwita
Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.
Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more
research & insights curated to help you earn a seat at the table.
