What is CMMC Compliance?

The Cybersecurity Maturity Model Certification (CMMC) compliance framework is a set of standards that organizations must adopt if they want to participate in supply chain contracts with the United States Department of Defense (DoD).

The specifications set forth in the CMMC come from the National Institute of Standards and Technology’s Special Publication NIST 800-171 Revision 2, and are meant to limit security risks in the government sector.

CMMC includes authentication requirements for security controls that an organization must implement to protect information systems and Controlled Unclassified Information (CUI). It also includes other risk management and cybersecurity practices, such as incident response and continuous monitoring. CMMC also specifies the requirements for whether an organization can self-attest to CMMC or if they require a third-party assessment by a CMMC qualified security assessor.

image
image
Get Set for CMMC Success!
Download our CMMC starter guide.
DOWNLOAD THE GUIDE

Why is CMMC Compliance Important?

CMMC compliance is required to continue DoD supplier relationships which may require the handling of Controlled Unclassified Information (CUI). CMMC compliance must be recertified on a recurring basis as specified for the level of certifications. Non-compliance could result in the loss of valuable DoD contracts, and leave a contractor exposed to cybersecurity weaknesses.

By the end of 2025, all contracts issued by the U.S. Defense Department will include a CMMC requirement. This means all government contractors (and subcontractors) will be required to meet Cybersecurity Maturity Model Certification compliance. That’s an estimated 300,000 to 500,000 vendors that will be affected, from lawn service companies to weapons manufacturers.

Furthermore, compliance protects your organization from suffering a loss that can have devastating financial repercussions. It can also assure that your business is well protected, boosting your organization’s credibility and instilling greater trust among customers and business partners.

CMMC Requirements at a Glance

There are five levels of CMMC certification, and every DoD contractor must obtain at least a Level 1 certification (the bare minimum).

Ultimately, a contractor’s level of certification will depend on the type of data it processes and the level of security clearance necessary. So for example, a weapons manufacturer may be required to achieve a higher level of certification than the lawn service.

The latest version of CMMC is v2.0, published by the DoD in December 2019. CMMC v2.0 removed levels 2 and 4 that were previously published under CMMC v1.0, this streamlines compliance into LEVEL 1 (Foundational), LEVEL 2 (Advanced), and LEVEL 3 (Expert).

image

What are the CMMC Maturity Levels?

To achieve CMMC certification, your organization must meet certain criteria depending on the CMMC level you hope to obtain. These requirements are specified in NIST 800-171. Below, you’ll find the requirements for each of the CMMC maturity levels.

1

Foundational
Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause. This includes implementing 17 practices from NIST SP 800-171 and requires the supplier to complete an annual self-assessment.

2

Advanced
Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 and requires the supplier to undergo a technical third-party assessment every three years OR conduct an annual self-assessment depending on the type of program.

3

Expert
Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date (after the ongoing rule-making process). Level 3 will require compliance with more than 110 practices aligned to NIST SP 800-171 and will require a technical government led assessment every 3 years.

The Challenges of Obtaining CMMC Compliance

If your organization works as a defense contractor, it must assure that it has done its due diligence to comply with all applicable NIST, DFARS, and CMMC compliance requirements.

Most organizations face a lack of internal resources to execute a plan of action for a new and complex compliance program. Audits can also be time-consuming and disruptive for organizations to manage and deliver on their own — not to mention the fact that certification must be renewed every three years. Additionally when there is turnover in personnel managing compliance with these frameworks, it’s easy to lose visibility into ongoing and historical efforts if a central system of record isn’t being used.

Our solutions deliver the insight, guidance, and instruction on how to move to audit readiness for CMMC, from self-assessment all the way through to CMMC audit whether it be a Level 1 self-assessment, a level 2 technical third-party assessment, or even a full-blown level 3 government led technical assessment.

Learn pro tips from our CMMC expert!

Register Now
image

RiskOptics Has Your CMMC Framework Solution

Our RiskOptics Risk Insiders can walk you through the entire CMMC process, helping you examine your environment and policies and shore them up before your formal assessment.

Using our flexible, integrated ZenGRC to organize and manage CMMC requirements, our solution eliminates many of the tedious manual processes and reduces the time and resources requirements to manage them.

ZenGRC Capabilities:

  • Built by compliance experts for faster time to value during implementation
  • As a single source of truth to assign, capture and track requests for information
  • A central repository for all audit-ready documentation
  • Universal Control Mapping to fulfill multiple requirements with a single control
  • Insight into team member progress at fulfilling CMMC requirements
  • Continuous monitoring of your compliance stance
Ready to see ZenGRC in action?

Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) compliance framework is a set of standards all organizations must meet if they wish to engage in contracts with the DoD or defense industrial base (DIB).

The standards set forth in the CMMC come from the National Institute of Standards and Technology’s Special Publication NIST SP 800-171 Revision 2, a standard meant to limit security risks in the government sector.

All organizations that wish to engage in contracts with the U.S. Department of Defense (DoD) will eventually be subject to CMMC compliance. This includes contractors and subcontractors, in the defense industrial base — an estimated 300,000 to 500,000 vendors.

By October 2025, all contracts issued by the U.S. Defense Department (DoD) will contain the CMMC requirement. This means all contractors (and subcontractors) will be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance.

For some time now, defense contractors have had to comply with the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). That meant implementing the standards of NIST 800-171, which created the foundation of modern cybersecurity standards.

CMMC takes these requirements a step further. It includes authentication requirements for security controls that an organization has implemented to protect information systems and Controlled Unclassified Information (CUI). It also includes other cybersecurity risk management practices, such as incident response and continuous monitoring.

The cost to achieve CMMC certification depends on the following factors:

  • The certification maturity level
  • The size of your company
  • The number of locations your business has
  • Whether you require third-party support
  • The scope of your CUI
  • The level of outside support you require

For example, the cost for an organization seeking CMMC Level 3 compliance, with 250 employees operating in multiple locations, ranges from $80,000 to $190,000, depending upon the business’s existing compliance stance and required levels of outside support.

The various levels of CMMC compliance are referred to as Maturity Levels. The higher the degree of accreditation, or maturity level, that an organization wishes to achieve certification for, the greater the requirements for its CMMC assessment. The CMMC maturity levels are:

  • CMMC Level 1 – Foundational
  • CMMC Level 2 – Advanced
  • CMMC Level 3 – Expert