If you work within the Defense Industrial Base (DIB), you’ve likely heard rumblings surrounding “CMMC”. What does that even mean? Well, let’s start by defining that CMMC stands for the Cybersecurity Maturity Model Certification.

So, why have you heard of it?

CMMC is an assessment standard designed to ensure that defense contractors comply with current cybersecurity requirements. This way, the DoD can ensure its contractors are protecting sensitive defense information.

The DoD expects the program will go into effect in late 2023. At that point, CMMC will begin showing up in contracts. It doesn't matter if organizations handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). They will need to achieve CMMC compliance.

However, it’s worth mentioning that the rulemaking deadline continues to receive delays. The truth is that there have been multiple versions of CMMC already…even though it’s not officially published. If you were to read this blog post in 2021, the information provided would’ve been completely different than what it contains today. Back then, we would’ve been referring to CMMC v1.0 and/or v1.2. Yet, the current CMMC version is 2.0.

Anyway, CMMC 2.0 compliance has 3 main objectives at its core:

Protect sensitive defense information from cyber-attacks and nation-state actors
Create a unifying cybersecurity standard for defense contractors
Ensure accountability for defense companies that are responsible for protecting government data

So what is CMMC 2.0? What are the certifications levels and who needs to become certified? Let’s take a deep dive into what CMMC 2.0 is and what it means to be CMMC-compliant.

Overview

The DIB is frequently the target of complex cyberattacks. This is why cybersecurity is a top priority for the Department of Defense (DoD).

To protect ingenuity and national security information in the US, the DoD developed something called the Cybersecurity Maturity Model Certification program. Often abbreviated as CMMMC, the program reinforces the importance of DIB cybersecurity for safeguarding the information that supports and enables the military.

So what is CMMC?

The CMMC program is a system of cybersecurity rules that aligns with the DOD’s requirements for DIB partners. Its purpose is to enforce the protection of sensitive unclassified information shared with contractors and subcontractors.

The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

The CMMC 2.0 program has three key features…

A tiered model
Assessment requirements
Implementation through contracts

Tiered Model

CMMC requires companies entrusted with national security information to implement cybersecurity standards. These standards come in progressively advanced levels, depending on the type and sensitivity of the information.

The program also sets forward the process for requiring the protection of information passed down to subcontractors.

Assessment Requirement

CMMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.

Implementation Through Contracts

Once a contractor or subcontractor implements CMMMC standards certain DoD contractors need to achieve a particular CMMC level as a condition of contract award. If they don’t meet this level, they will not receive the contract with the DoD.

The CMMC Compliance Levels

CMMC 2.0 has three levels of compliance. This is much simpler than the 5 levels of CMMC 1.2. Version 2.0 does this by cutting the old levels 2 and 4. These were originally developed as transition levels.

The new CMMC 2.0 levels distinguish themselves from one another based on the type of information DIB companies handle.

Level 1 (Foundational)

Level 1 applies to companies that focus on the protection of Federal Contract Information, or FCI. The basis of this is on the 17 controls found in FAR 52.204-21, or Basic Safeguarding of Covered Contractor Information.

The 6 Far 52.204-21 Families are…

Access Control
Identification and Authentication
Media Protection
Physical Protection
System and Communication Protections
System and Information Integrity

The controls look to protect covered contractor information systems. It also limits access to authorized users.

Level 2 (Advanced)

Companies should be compliant with CMMC’s level 2 if they deal with CUI. This level is comparable to CMMC 1.0’s level 3.

Level 2 will mirror NIST SP 800-171.

All practices and maturity processes that used to be unique to CMMC 1.0 are now gone. Instead, level 2 aligns with the 14 control families and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.

The 14 NIST 800-171 Families are…

Access Control
Media Protection
Awareness and Training
Personnel Security
Audit and Accountability
Physical Protection
Configuration Management
Risk Assessment
Identification and Authentication
Security Assessment
Incident Response
System and Communications Protection
Maintenance
System and Information

Level 3 (Expert)

Level 3 has a focus on reducing the risk of Advanced Persistent Threats, or APTs. This level is for companies working with CUI on the Dod’s highest priority programs.

The DoD is still trying to determine the specific security requirements for level 3. That said, it indicated that the requirements will relate to NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls, making for a total of 130 controls.

These 130 controls will align with the same 14 control families in NIST 800-171, with the 20 additional controls coming from NIST 800-172.

Who needs CMMC certification?

By 2026, most defense contractors conducting work for the DoD will need to achieve CMMC certification. The exception is those managing Commercial Off The Shelf (COTS).

The level of certification you need will depend on the requirements spelled out in your contract.

Companies that have FAR 52.204-21 in their contract and handle only FCI will need to achieve CMMC Level 1. FAR 52.204-21 is a subset of DFARS requirements. These companies don’t need 3rd party certification. Instead, the contractor must specify the people, technology, facilities, and external providers within their environment that process, store, or transmit FCI. The government will require companies to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in the FAR clause.

Companies that have a DFARS 7021 clause in their contract and handle CUI will need to achieve CMMC level 2. The company needs to pass a third-party assessment every three years. All organizations seeking level 2 will need to self-assess every year and undergo a formal assessment by an accredited C3PAO or certified CMMC Assessor once every 3 years.

Companies handling the most sensitive information will need to achieve CMMC Level 3 compliance, or “expert” compliance. These companies will have DFARS 7021 clauses in their contract. To achieve level 3, they will need to meet the security requirements specified in NIST SP 800-171 along with a subset of requirements specified in NIST SP 800-172. Those companies will need to pass a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit to achieve compliance.

Conclusion

If you read this far, you likely work for a defense contractor looking to start your CMMC compliance journey.

A good place to start is by looking into how you should meet the 110 controls in NIST 800-171.

Don’t procrastinate. Preparation to meet these controls can take up to 18 months, and the DoD will only do business with CMMC-certified businesses in 2026.

If you are a defense contractor or plan to seek DoD contracts in the future, the time to get started is now.