The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity controls across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. CMMC is a security controls framework designed to provide increased assurance to the DoD that a DIB contractor can adequately protect Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

The CMMC framework is the DoD’s mechanism for incorporating select cybersecurity standards from a variety of sources, like NIST SP 800-171 Rev.1, FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), the draft of NIST SP 800-171B, CIS Controls v.7.1, the CERT Resilience Management Model, the UK NCSC Cyber Essentials, and the Defense Industrial Base (“DIB”) and other DoD stakeholders.

Essentially the CMMC is a matrix organized into five levels. That matrix is comprised of “Domains,” (e.g. Access Control). Domains in turn consist of several “Capabilities” related to that Domain (e.g. Control Remote System Access). Finally, each Capability has multiple “Practices”. These Practices vary depending on the CMMC level in which they are incorporated. Examples of Practices include “Restrict remote network access based on organizationally defined risk factors. . .” and “Establish an operational incident-handling capability for organizational system”

Bottom line: CMMC compliance assures the DoD its DIB contractors can protect sensitive information. A key component to this assurance is requiring DIB contractors are accounting for this security with their subcontractors. Contracting officials for the DoD will check for compliance and review audit results.

Cybersecurity Maturity Model Compliance Explained

All DoD contractors should prepare for the implementation of the Cybersecurity Maturity Model Certification (CMMC). This page covers what CMMC is, how to prepare for CMMC certification, the CMMC framework, who needs to CMMC compliant, and how to figure out what CMMC level is required for a contract.

What actions should DoD contractors take now?

Conduct a pre-assessment. Considering the potential impact to your business if you become ineligible for DoD awards due to non-compliance, it is especially prudent to conduct a pre-assessment to identify potential deficiencies as early as possible to give you enough runway to remediate them. Appropriately engage contracting leadership regarding pending procurements you are interested in pursuing to determine what CMMC requirements may be included.

Order a pre-assessment now

Begin preparing for CMMC certification

A first good step is to determine what level of CMMC (likely CMMC Level 1 or Level 3) will be most appropriate for the type of work you do for the DoD. Begin as early as possible to ensure you are well-positioned to bid on any work, particularly as prime contractors look to build their teams with subcontractors best positioned to win the work.

Pay particular attention to the process and documentation aspects of CMMC. While the controls are important, don’t overlook the process and documentation requirements. You can begin working on these early.

Consider your supply chain vulnerabilities and prepare. CMMC requirements will flow down through a contractor's supply chain. If a key teammate/ subcontractor becomes ineligible to handle necessary information, the prime contractor may find itself in a difficult position. Incorporate steps like pre-assessments and other due diligence into your supply chain security vetting procedures.

Benefits of early preparation

Preparing early gives you as much runway as possible to remediate any vulnerabilities. This also allows you to spread out the cost and time required to do so. Finally, if any remediation action requires a complex solution that directly impacts your operations, you have more time to mitigate that cost.

What an organized DoD contractor is doing

Conduct pre-assessments and discovery to speed up the process. Conduct a NIST SP 800-171 self-assessment. Determine how those results will help or hinder you in achieving your desired CMMC certification level. If you are a prime contractor, engage with potential subcontractors you may team with to develop a framework to ensure compliance across your entire team. If you are a subcontractor, engage with your primes in a similar way. When conducting your NIST 800-171 assessment, identify ways in which you may position your results as a competitive advantage over other subcontractors you are competing with.

CMMC Framework

Preparing early gives you as much runway as possible to remediate any vulnerabilities. This also allows you to spread out the cost and time required to do so. Finally, if any remediation action requires a complex solution that directly impacts your operations, you have more time to mitigate that cost.

Level 1

Perform.

This level requires compliance with 17 controls within CMMC. The focus here is safeguarding Federal Contract Information (FCI). FCI is information created, collected by or for the Government. It also includes information received from the Government as well. At it’s heart, FCI is information that is “not intended for public release”, At this level, there are no process or documentation requirements making compliance less difficult.

Level 2

Document.

This level is essentially a transitional step between Level 1 and Level 3. In addition to a focus on FCI, Level 2 incorporates ‘intermediate’ practices to begin protecting Controlled Unclassified Information (CUI). CUI is information that is regularly stored, shared, and used by Federal agencies. This information is not classified; however, its nature requires a level of protection against unauthorized access. The reason for that protection ranges from CUIs use in contractual protections, law enforcement, privacy, and other reasons.

Level 3

Manage.

This level focuses on the management of security activities related to implementing CMMC. At Level 3, contractors are required to have appropriate processes and documentation in place to highlight a cohesive plan for your CMMC compliance. Plans include items such as mission plans, stakeholder management, training requirements, and resource requirements, amongst other areas.

Level 4

Review.

This level focuses on reviewing your security performance and measuring its effectiveness. At this level, contractors should also be incorporating their security governance at the executive level within their organization and making strategic and tactical moves to ensure a high degree of security. This level also focuses on countering potential Advanced Persistent Threats (APTs) attacks against the organization. An Advanced Persistent Threat (APT) is a sophisticated adversary the employs various Tactics, Techniques, and Procedures (TTPs) across attack vectors. They are focused on gaining unauthorized access to a target’s computer network and lie undetected, waiting to attack. APTs can be nation-state or state-sponsored groups whose goals are not necessarily monetary. Their goals are also political, societal, and/or economic disruption.

Level 5

Optimize.

At this level, an organization has standardized its security practices into everyday operations and is focused on continuous and regular improvement.

Who needs CMMC certification?

CMMC will apply to selected RFI (request for information) and RFPs (request for proposal). We anticipate these to be relatively large awards at first, with all contractors in the supply chain expected to meet the stated CMMC compliance requirements at the time a contract is awarded.

How will I know what CMMC level is needed for a contract?

Each solicitation will detail the CMMC level required for performance.

When will CMMC compliance be required?

CMMC is expected to be fully rolled out to all new contracts by the end of 2025 (projected). At that point, these requirements will likely apply to all contractors in the DIB.

DIB contractors and their subs remain responsible for the implementation of cybersecurity standards. However, with the implementation of CMMC, third parties will now assess contractors’ compliance with specific CMMC levels as required. These third parties are certified by CMMC to conduct these assessments.

Until then, the DoD, specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment, will decide which solicitations will include the CMMC requirement and the new associated DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Eventually, all DIB contractors and subcontractors must obtain CMMC certification at some level (e.g. Level 1). CMMC certification requirements will flow down to subcontractors at all tiers, based on the sensitivity of the information they handle. Prime contractors may not award a subcontract before ensuring the required CMMC certification level has been met by that contractor.

What should a DoD contractor do next?

Be prepared.

Being prepared with a pre-assessment will best position a DoD contractor to be agile to any pending questions. Understanding your vulnerabilities will best equip you to deal with the uncertain road ahead.

Order Pre Assessment