What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) program is part of a government led effort to help protect the United States Defense Industrial Base and supply chain from cyber threats, this includes both foreign and domestic, and enhance the overall security posture of the sector. Achieving CMMC Certification is a journey, not a destination. CMMC Certification is a point in time, not an end point. Once you achieve your CMMC certification you must continue the process to maintain it.

The CMMC framework has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department of Defense to verify the implementation of clear, well defined and documented cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, most DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award. This may be accomplished via a self assessment with attestation of compliance by a DoD contractor company CEO or third party assessment.

The evolution to CMMC 2.0

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter
  • Dynamically enhance DIB cybersecurity to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

Get a Free Initial CMMC Consultation

Fill out the form below to receive a free 10 minute consultation!

Contact Information

Key features and comparison of levels in CMMC 1.0 vs CMMC 2.0

Why does CMMC matter?

The theft of intellectual property and sensitive information from all industrial secrets due to malicious cyber activity threatens economic security and national security. Malicious cyber actors have targeted, and continue to target the Devense Industrial Base secret and the supply chain of the Department of Defense. The DIB sector consists of over 300,000 companies that support the warfighter and contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.

What Should DoD Contractors Do to Prepare for a CMMC Audit?

Different CMMC levels will require contractors to comply with different security controls, as outlined earlier in this guide. Contractors who already have full NIST SP 800-171 controls shouldn’t experience any problems achieving at least a level 3 CMMC certification.
However, if this has yet to be achieved, there are a number of options for contractors as they prepare for a 2020 - 2021 CMMC audit.

Outsourcing to a CMMC Registered Practitioner (RP)

For all but the largest of contractors, the appropriate course of action is to invest in outsourcing the process of getting CMMC certification to a qualified third party. In particular, outsourcing to a Managed Service Provider (MSP) with the Registered Provider Organization status will enable contractors to get the expertise required.

However, the responsibility ultimately remains with the contractor to meet the necessary cybersecurity standards. This is why contractors should think long and hard about which MSP/RPO they decide to hire.

Although it may be tempting to do everything in-house, outsourcing the process to a qualified MSP/RPO will likely save you both time and money.

Not only will they be able to pinpoint areas of weakness, but they will be aware of what auditors will be looking at. It’s the best way to prepare for an upcoming CMMC audit.

Implement NIST SP 800-171 Yourself

For contractors who possess the staff and resources, they may want to consider doing everything in-house.

Contractors can take advantage of the guidance presented in the Self Assessment Handbook – NIST Handbook 162. It’s a workbook compiled by the National Institute of Standards and Technology (NIST) to help DoD contractors.

Be aware that this workbook only includes information up to and including NIST SP 800-171 Rev. 1. It doesn’t include anything more than that, so contractors will only be able to get up to a CMMC Level 3 certification using this.

For NIST SP 800-171 Rev. B things are more complex as there’s no authorized workbook available.

If a contractor doesn’t have the knowledge or the resources available to implement these cybersecurity controls alone, they should consider outsourcing these tasks to a CMMC Registered Provider Organization with Registered Practitioners to do the heavy lifting.

These companies may even be able to provide a non certified audit themselves, as well as supporting contractors in tightening up any areas of weakness.