What is CMMC Compliance? (Ultimate Guide)

Srividhya Karthik

Srividhya Karthik

Mar 31, 2023

CMMC Compliance

Your organization’s data is perhaps your most valuable asset. And protecting its security, confidentiality, and integrity is key to keeping your organization safe. This need to preserve information gets even more pronounced when you work with the Department of Defense (DoD), the United States of America. Your compliance with the Cybersecurity Maturity Model Certification (CMMC) program, developed by the DoD, therefore, is key to demonstrating your ability to handle DoD data securely. 

If you are a service provider for the DoD or a sub-contractor to one of the DoD’s prime contractors or are going to enter the Defense Industrial Base (DIB) sector, then CMMC certification will be a prerequisite. Here’s a lowdown on the CMMC compliance program, its asks, and the way to go about it.

What is CMMC?

The CMMC is a unified cybersecurity framework developed by the Department of Defense, USA, to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at every step across the DoD’s supply chain. CMMC draws heavily from the security requirements included in the National Institute of Standards and Technology (NIST Cybersecurity Framework SP 800-171).

CMMC Compliance

The CMMC program standardizes the asks for cybersecurity practices and helps the DoD determine the extent of cyber protection practices organizations have incorporated. CMMC compliance, therefore, provides the DoD assurance that its contractors and sub-contractors meet its cybersecurity requirements and have the wherewithal to protect sensitive DoD data.

It also helps organizations that constitute the DIB assess their current security posture, identify security gaps, optimize their processes, and maintain cyber hygiene per DoD’s requirements.

But before we proceed further, let’s quickly understand some of the oft-used terms.

Defense Industrial Base (DIB) are companies that contribute to the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services. DoD figures show that 300,000+ companies supply services within this Defense Industrial Base.

Federal Contract Information (FCI) constitutes information provided by, or generated for, the US Government under contract and not intended for public release.

Controlled Unclassified Information (CUI) is any information that requires safeguarding or dissemination controls per laws, regulations, and government-wide policies (outside of exclusions – such as information classified under some Executive orders or any other information classified under other rules).

Who needs CMMC Certification?

CMMC certification is for organizations that handle/work with DoD information. The compliance level will depend on the type of information the organizations are privy to. For instance, if the organization operates with non-classified DoD information, it may only need a Level 3 clearance or below. A Level 4 clearance or higher is needed if it handles high-value information. An interesting aside here – these classifications are project-based. 

CMMC Compliance certificate

All defense contractors will be required to have a CMMC certification. This includes: 

• Small businesses

• Contractors that do or do not possess CUI or FCI

• Subcontractors

• Commercial contractors

Note that CMMC applies only to DoD contracts, and not all US government contractors. 

To become CMMC certified, companies must implement and pass an external CMMC assessment carried out by authorized and accredited CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs must be accredited by the Cyber AB (formerly CMMC Accreditation Body). Check their marketplace for a list of accredited C3PAOs.

During the assessment, organizations must produce documented evidence for the required processes and practices, and demonstrate the necessary capabilities.

Successful assessments result in the issuance of CMMC certificates to the DIB organization at an appropriate maturity level. Wondering what the levels of maturity are? We’ve covered that in the later section.

CMMC compliance requirements will appear in all contracts starting in the fiscal year 2026. This means DoD contractors will need to comply in order to bid on such work.

You may also like to read: PCI DSS certification

Domains, Practices, and Maturity Levels

The CMMC model framework organizes processes and cybersecurity best practices into 17 domains. Each domain consists of processes that span five levels of cybersecurity maturity. Additionally, each domain contains one or more capabilities spanning the five levels. And, for any given capability, organizations must demonstrate one or more practices (171 in total). 

Capability Domains 

Each domain comprises processes and capabilities across the five levels of CMMC.  The domains include:

CMMC Compliance domain

Processes, Practices & Maturity Levels

Processes and practices in CMMC depend on the organization’s maturity levels in terms of the type of DoD information it handles.

Here’s a quick overview of the CMMC maturity level, processes, practices and focus.

CMMC Compliance processes

These aren’t mere checkboxes but should be seen as processes or activities ingrained in an organization’s operations. The following section details the CMMC maturity levels.  

What are CMMC Certification Levels?

The CMMC framework defines five cybersecurity maturity levels against which DoD contractors and subcontractors are assessed to determine the extent and maturity of their information systems’ cybersecurity processes and practices.

This breakdown makes it easier for organizations to achieve the minimum cybersecurity standards required per their risk profile (based on the type of sensitive information handled). 

Here are the 5 CMMC certification levels:

Level 1: Basic Cyber Hygiene 

Level 1 defines the minimum level of cyber hygiene required to protect FCI. It includes 17 practices derived from NIST standards, and requires a performance-only approach to cybersecurity. It is the easiest of the five levels to achieve, and there isn’t any CMMC requirement to document security processes at this level. 

Practices, typically, can be defined as the specific technical activities that must be performed to showcase a specific level of cybersecurity maturity. 

Level 2: Intermediate Cyber Hygiene 

Level 2 is slightly more challenging than Level 1. It is, in essence, a mid-way transition point to managing CUI. It requires a total of 72 practices (55 additional along with the 17 from Level 1) to be demonstrated. Level 2 requires organizations to perform and document the processes, procedures, and cybersecurity policies.

Level 3: Good Cyber Hygiene 

This level requires adherence to 130 practices to showcase the protection of CUI. This is the minimum level needed to use, share, or handle CUI. Level 3 requires organizations to demonstrate that their cybersecurity processes are managed and documented. 

Level 4: Proactive Cyber Hygiene

Level 4 comprises 156 practices and indicates a reasonably advanced cybersecurity system. To achieve level 4 certifications, organizations must review and document activities as well as loop management into the entire process. The focus at Level 4 also shifts towards proactively defending against Advanced Persistent Threats (APTs) as against only protecting CUI in Level 3.

Level 5: Advanced & Progressive Cyber Hygiene

Level 5 includes 171 practices and is the highest level of CMMC compliance. Organizations with Level 5 certifications have an advanced and progressive cybersecurity system in place to protect CUI from APTs. A CMMC level 5 certification indicates that organizations can assess APTs and that their cybersecurity defenses are optimized and reviewed to thwart them. 

CMMC Compliance levels

Note that these practices are not new, but rather are derived from Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 and NIST SP 800-171 r1 and Draft NIST SP 800-171B. Besides, each level builds off the levels before. So, a Level 5 CMMC organization will also comply with all lower levels.

What’s changed in CMMC 2.0?

CMMC 2.0 is the most recent iteration (released in November 2021) of the cybersecurity maturity model by the DoD. Instead of the five levels in CMMC 1.0, it has streamlined requirements to three levels of cybersecurity – Foundational, Advanced, and Expert. 

CMMC 1.0 vs CMMC 2.0

CMMC Level 1 (Foundational)

This level remains applicable to organizations with FCI only, and requires them to incorporate the same 17 basic safeguarding practices. Level 1 organizations don’t process and transmit CUI, and will have to self-certify that they comply with the 17 practices annually. The CMMC self-assessment should be completed using the CMMC Assessment Guide for the appropriate CMMC level.

Falsely certifying under Level 1 could result in fraud claims under the False Claims Act.

CMMC Level 2 (Advanced)

This level is applicable to companies that handle CUI and FCI. It is the same as Level 3 of CMMC 1.0 but with a reduced number of practices. It now includes 110 practices from NIST SP 800-171r2, and will require most organizations to undergo third-party assessments every three years. Some organizations, depending on the type of information, may need to demonstrate compliance through self-assessments.

Also, CMMC 2.0 will allow organizations to receive contract awards with a time-bound Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. 

CMMC Level 3 (Expert) 

This level combines the former CMMC 1.0 Levels 4 and 5, and is applicable for organizations that handle the highest priority programs with CUI. Similar to Level 2, organizations at Level 3 will also need to pass an assessment every three years.

The DoD has expressed that it does not intend to approve the inclusion of a CMMC requirement in any contract prior to the completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC 2.0 framework. The DoD’s estimate for completing that process is 9-24 months from November 2021.   

Start Preparing Now the Smart Way

While there isn’t much clarity on the timelines (expected to be May 2023), it isn’t reason enough to pause the preparations. Instead, it is time to streamline your organization’s processes and controls to achieve CMMC. 

Sprinto is built to intelligently automate your cybersecurity compliance requirements. With its in-app integrated risk assessment and gap analysis, your journey with Sprinto needn’t end with completing the certification process. Sprinto offers a real-time continuous monitoring feature that can free up your engineering leadership’s time to pursue the more productive growth needs of the organization, a must-have for your CMMC certification.

You can add more cybersecurity frameworks such as SOC 2, PCI DSS, GDPR, ISO 27001 as your organization grows and build off the already-implemented security controls.  

Talk to us today to get the proper assistance in achieving CMMC compliance.

Srividhya Karthik

Srividhya Karthik

Srividhya Karthik, is a Content Lead at Sprinto, she artfully transforms the complex world of compliance into accessible and intriguing reads. Srividhya has half a decade of experience under her belt in the compliance world across frameworks such as SOC 2, ISO 27001, GDPR and more. She is a formidable authority in the domain and guides readers with expertise and clarity.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.