What is CMMC Compliance?

The Cybersecurity Maturity Model Certification (CMMC) compliance framework is a set of standards that organizations must adopt if they want to participate in supply chain contracts with the United States Department of Defense (DoD).

The specifications set forth in the CMMC come from the National Institute of Standards and Technology’s Special Publication NIST 800-171 Revision 2, and are meant to limit security risks in the government sector. CMMC includes authentication requirements for security controls that an organization must implement to protect information systems and Controlled Unclassified Information (CUI). It also includes other risk management and cybersecurity practices, such as incident response and continuous monitoring.

image
image
Get Set for CMMC Success!
Download our CMMC starter guide.
DOWNLOAD THE GUIDE

Why is CMMC Compliance Important?

CMMC compliance is required to continue DoD relationships and will need to be renewed every three years. Non-compliance could result in the loss of valuable DoD contracts, and leave a contractor exposed to cybersecurity weaknesses.

By the end of 2025, all contracts issued by the U.S. Defense Department will include a CMMC requirement. This means all government contractors (and subcontractors) will be required to meet Cybersecurity Maturity Model Certification compliance. That’s an estimated 300,000 to 500,000 vendors that will be affected, from lawn service companies to missiles manufacturers.

Furthermore, compliance protects your organization from suffering a loss that can have devastating financial repercussions. It can also assure that your business is well protected, boosting your organization’s credibility and instilling greater trust among customers and business partners.

CMMC Requirements at a Glance

There are five levels of CMMC certification, and every DoD contractor must obtain at least a Level 1 certification (the bare minimum).

Ultimately, a contractor’s level of certification will depend on the type of data it processes and the level of security clearance necessary. So for example, a missile manufacturer may be required to achieve a higher level of certification than the lawn service.

The latest version of CMMC is v0.7, published by the DoD in December 2019. It includes new requirements for maturity levels 4 and 5 and contains some modifications to the maturity processes for CMMC levels 1 through 3.

image

What are the CMMC Maturity Levels?

To achieve CMMC certification, your organization must meet certain criteria depending on the CMMC level you hope to obtain. These requirements are specified in NIST 800-171. Below, you’ll find the requirements for each of the CMMC maturity levels.

1

Basic Cyber Hygiene
Requires Defense Department contractors to implement
17 controls of NIST 800-171.

2

Intermediate Cyber Hygiene
Requires Defense Department contractors to implement another
48 controls of NIST 800-171
seven more “Other controls.”

3

Good Cyber Hygiene
Requires Defense Department contractors to implement the final
45 controls of NIST 800-171
13 additional “Other controls.”

4

Proactive Cybersecurity
Requires Defense Department contractors to implement
11 more controls of NIST 800-171 15
15 additional “Other controls.”

5

Advanced/Progressive Cybersecurity
Requires Defense Department contractors to implement the final
4 controls of NIST 800-171
11 additional “Other controls.”

The Challenges of Obtaining CMMC Compliance

If your organization works as a defense contractor, it must assure that it has done its due diligence to comply with all applicable NIST, DFARS, and CMMC compliance requirements.

Most organizations face a lack of internal resources to execute a plan of action for a new and complex compliance program. Audits can also be time-consuming and disruptive for organizations to manage and deliver on their own — not to mention the fact that certification must be renewed every three years.

Learn pro tips from our CMMC expert!

Get insights and guidance to prepare for your CMMC audit

Register Now

Reciprocity Has Your CMMC Framework Solution

At Reciprocity, our ZenGRC for Compliance solution delivers the insight, guidance, and instruction on how to move to audit readiness for CMMC, from self-assessment all the way through to CMMC audit by a third-party assessment organization (like a C3PAO) or independent assessor.

Our Reciprocity GRC experts can walk you through the entire CMMC process, helping you examine your environment and policies and shore them up before your formal assessment.

We can also advise on documentation best practices and provide a template that includes POAM and System Security Plan (SSP) documentation.
Using our flexible, integrated ZenGRC platform to organize and manage CMMC requirements, our solution eliminates many of the tedious manual processes and reduces the time and resources requirements to manage them.

image

ZenGRC CMMC Capabilities

  • Built by compliance experts for faster time to value during implementation
  • As a single source of truth to assign, capture and track requests for information
  • A central repository for all audit-ready documentation
  • Universal Control Mapping to fulfill multiple requirements with a single control
  • Insight into team member progress at fulfilling CMMC requirements
  • Continuous monitoring of your compliance stance

Ready to see ZenGRC in action?

SCHEDULE A FREE DEMO

image

Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) compliance framework is a set of standards all organizations must meet if they wish to engage in contracts with the DoD or defense industrial base (DIB).

The standards set forth in the CMMC come from the National Institute of Standards and Technology’s Special Publication NIST SP 800-171 Revision 2, a standard meant to limit security risks in the government sector.

All organizations that wish to engage in contracts with the U.S. Department of Defense (DoD) will eventually be subject to CMMC compliance. This includes contractors and subcontractors, in the defense industrial base — an estimated 300,000 to 500,000 vendors.

By October 2025, all contracts issued by the U.S. Defense Department (DoD) will contain the CMMC requirement. This means all contractors (and subcontractors) will be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance.

For some time now, defense contractors have had to comply with the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). That meant implementing the standards of NIST 800-171, which created the foundation of modern cybersecurity standards.

CMMC takes these requirements a step further. It includes authentication requirements for security controls that an organization has implemented to protect information systems and Controlled Unclassified Information (CUI). It also includes other cybersecurity risk management practices, such as incident response and continuous monitoring.

The cost to achieve CMMC certification depends on the following factors:

  • The certification maturity level
  • The size of your company
  • The number of locations your business has
  • Whether you require third-party support
  • The scope of your CUI
  • The level of outside support you require

For example, the cost for an organization seeking CMMC Level 3 compliance, with 250 employees operating in multiple locations, ranges from $80,000 to $190,000, depending upon the business’s existing compliance stance and required levels of outside support.

The various levels of CMMC compliance are referred to as Maturity Levels. The higher the degree of accreditation, or maturity level, that an organization wishes to achieve certification for, the greater the requirements for its CMMC assessment. The CMMC maturity levels are:

  • CMMC Level 1 – Basic Cyber Hygiene
  • CMMC Level 2 – Intermediate Cyber Hygiene
  • CMMC Level 3 – Good Cyber Hygiene
  • CMMC Level 4 – Proactive Cybersecurity
  • CMMC Level 5 – Advanced/Progressive Cybersecurity