Defense Industrial Base (DIB) organizations, meaning those working with the Department of Defense (DoD) on US federal contracts, have long been subject to significant regulatory requirements for protecting sensitive information. However, a weakness of earlier regulations was a heavy reliance on self-certification. In response, the DoD in 2019 announced the development of the Cybersecurity Maturity Model Certification (CMMC) as a new effort to move away from self-attestation and provide enforceable, verifiable cybersecurity requirements for its contractors.
Most who have been involved in the ongoing development of the CMMC will tell you that it wasn’t an easy process getting to the final rule, which was released on October 15, 2024. Reaching this milestone involved extensive changes to the proposed CMMC rules, its Accreditation Body, and years of continual feedback. The final updates to the associated Defense Federal Acquisition Regulation Supplement (DFARS) regulation are unreleased at this writing, but the first phase of CMMC implementation will begin in Q2 2025. If your organization is part of the DIB and hasn’t begun its efforts toward CMMC compliance, now is the time to start.
About CMMC
CMMC is a DoD certification program for organizations receiving federal contracts, including subcontractors. Organizations must demonstrate their compliance with a specified level of cybersecurity, which is determined by the type of federal contract and the type of information handled by the organization.
The CMMC framework is organized around the protection of two types of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Both types of information are non-public but unclassified and are provided by or generated for the government under a contract to develop or deliver a product or service to the government. CUI is considered more sensitive and is subject to laws, regulations, or government policies requiring special safeguard controls.
CMMC Levels
The CMMC framework establishes three distinct levels of cybersecurity maturity, each building upon the previous level’s requirements:
- Level 1 serves as the foundation, addressing basic cyber hygiene practices for the protection of Federal Contract Information (FCI). This level applies to contractors who handle FCI but not CUI and requires implementing seventeen practices from FAR 52.204-21.
- Level 2 is considerably more demanding than Level 1 and incorporates all 110 requirements of NIST SP 800-171 Rev. 2. This level, at minimum, is required for all organizations which handle CUI of any kind. Level 2 requires more sophisticated security measures, including access controls, incident response capabilities, and security assessment protocols. This level will be required by many subcontractors within the DIB.
- Level 3 is the highest level and adds twenty-four advanced practices from NIST SP 800-172 to counter Advanced Persistent Threats (APTs). This level applies to contractors working with critical programs and technologies and requires the implementation of additional practices focused on detecting and responding to sophisticated cyber-attacks. Level 3 will be limited to a smaller number of contracts and focused primarily on larger, prime contractors.
CMMC Assessment Types
A critical component of CMMC is its tiered assessment approach, which scales with each level. Each contract has its own level requirement, which is defined based on internal DoD criteria and assigned by the contracting officer. The framework establishes three distinct assessment types:
- Level 1 and some Level 2 certification programs allow organizations to conduct self-assessments. This process involves evaluating security practices against CMMC requirements using DoD-provided guidance. While self-directed, these assessments require thorough documentation and submission of results to the Supplier Performance Risk System (SPRS). Organizations must maintain comprehensive evidence of their compliance practices and prepare for potential DoD verification.
- Level 2 certifications often require assessment by a Certified Third Party Assessment Organization (C3PAO). These independent evaluations can span several days to weeks, incorporating document reviews, on-site control validation, and personnel interviews. C3PAOs evaluate both the implementation and effectiveness of security controls, providing an objective verification of CMMC compliance.
- Level 3 certifications are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These DoD-led evaluations scrutinize both technical controls and security-relevant business processes through comprehensive documentation reviews and on-site assessments.
Regardless of type, all assessments follow a structured approach beginning with documentation preparation and progressing through control evaluation and validation. Organizations must demonstrate not only initial compliance but also ongoing adherence through continuous monitoring and periodic surveillance activities. This commitment to sustained security practices ensures that CMMC certification represents more than a point-in-time achievement.
The Path to Compliance
Achieving CMMC compliance can be complex and time-consuming, so it requires a systematic approach. Organizations Seeking Compliance (OSCs) should begin by determining their required CMMC level based on their handling of FCI and CUI. A thorough gap analysis comparing current security practices against CMMC requirements serves as the foundation for compliance efforts.
Developing a detailed implementation plan is crucial. This should include technical controls, policy development, personnel training, and documentation requirements. Organizations must also consider how to integrate CMMC requirements with existing security frameworks and business processes.
Working with qualified consulting partners can help navigate the complexity of CMMC implementation. These partners can provide valuable guidance on interpreting requirements, implementing controls, and preparing for certification assessments. However, organizations should carefully evaluate potential partners, ensuring they have appropriate expertise and understanding of both CMMC requirements and the defense industry context.
CyberAB, the same organization that certifies C3PAOs and professional CMMC assessors, also trains and provides the Registered Practitioner, Registered Practitioner Advanced, and Registered Practitioner Organization (RP, RPA, and RPO) designations. The designations indicate that individuals and the consulting firms they work for have the necessary knowledge and expertise to provide advisory services to assist OSCs with Level 1 and Level 2 assessments, respectively.
Tangible Security offers CMMC advisory and support services including expert guidance, assessment, and implementation support to help organizations achieve and maintain compliance with the CMMC framework.
Find out more: https://tangiblesecurity.com/government-and-contractors/#contract
Looking Ahead
CMMC continues to evolve, with the DoD refining requirements and assessment processes based on industry feedback and changing threat landscapes. Organizations should stay informed about updates to the framework and adjust their compliance strategies accordingly. This may include participating in industry groups, engaging with CyberAB resources, and maintaining open communication with DoD contracting officers.
CMMC represents a significant shift in how the DIB approaches cybersecurity. While the framework presents challenges, particularly for smaller contractors, it also provides a structured path to improving cybersecurity posture and protecting sensitive information. Success requires careful planning, adequate resources, and a long-term commitment to maintaining robust security practices. Organizations that approach CMMC as an opportunity for security improvement, rather than merely a compliance requirement, will be better positioned to thrive in the evolving defense contracting landscape.
Recent Comments