Key Takeaways
1. The Cybersecurity Maturity Model Certification (CMMC) is a program designed to ensure all defense contractors meet specific cybersecurity maturity levels to protect sensitive information and maintain national security.
2. Achieving CMMC certification can significantly improve an organization’s cybersecurity posture, customer confidence, and eligibility for DoD contracts.
3. I.S. Partners can become your CMMC compliance partner. Consult with us today and learn how you can streamline your compliance process.
What Is CMMC Compliance?
Cybersecurity Maturity Model Certification (CMMC) compliance refers to an organization’s conformance to the CMMC program under the US Department of Defense (DoD) that applies to all defense contractors. It was introduced to ensure that all defense contractors meet a certain level of cybersecurity maturity. CMMC is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout the Defense Industrial Base (DIB).
It is the gold standard for implementing all the best cybersecurity practices to ensure sensitive information is protected and national security information is maintained in a private and confidential manner. Successfully implementing CMMC and its requirements is essential for any organization aiming to secure DoD contracts with strict protocols such as access control.
CMMC 1.0 was introduced in January 2020 with five levels. CMMC has evolved since 2020, but the core idea remains the same. In November 2021, CMMC 2.0 was introduced. CMMC 2.0 has several amendments. The most notable change is that the 5 levels of CMMC model are streamlined into 3 levels. These are given below.
CMMC Level 1 (Foundational):
This level focuses on basic cybersecurity practices to safeguard Federal Contract Information (FCI) with 17 specific security measures derived from FAR 52.204-21.
CMMC Level 2 (Advanced):
Here, the requirements get more stringent, aligning with NIST SP 800-171. It includes 110 practices to protect Controlled Unclassified Information (CUI).
CMMC Level 3 (Expert):
The CMMC third level targets the reduction of Advanced Persistent Threats (APTs) and incorporates advanced security measures, including some requirements from NIST SP 800-172.
Read more about the difference between the two CMMC model versions from our CMMC 1.0 vs 2.0 article.
Achieving CMMC compliance means understanding these levels and the best practices associated with each. Partnering with certified assessors like I.S. Partners can make CMMC assessments smoother and more efficient.
Is CMMC 2.0 Applicable Currently?
All DoD contractors are expected to comply with the appropriate level of CMMC 2.0 by late 2025.
The latest iteration of CMMC as of November 2021 is version 2.0. With this update came the streamlined approach to laying out the levels described in the original CMMC standard, reducing them from five to three.
This change was partly intended to simplify implementation. It also helped to more closely align CMMC 2.0 with NIST 800-171 rev2 (National Institute of Standards and Technology) requirements, making for a more comprehensive operation model.
Even though CMMC 2.0 compliance is not mandatory at the moment, organizations looking to get themselves certified should start preparing now. Due to the extensive nature of the compliance requirements, it’s a good idea to start understanding and implementing the requirements.
What Is the Deadline for CMMC Compliance?
While the deadline for CMMC 2.0 implementation has not yet been declared, the time is right for organizations to start preparing for CMMC 2.0. By understanding more about the certification and improving cybersecurity as per the CMMC guidelines, organizations can hope to get certified sooner once CMMC 2.0 is officially rolled out. Since the eligibility to bid on DoD contracts is tied to CMMC certification, an early certification can significantly affect your chances of winning a bid.
Who Needs to Comply With CMMC?
CMMC applies to all prime contractors and subcontractors working with the Department of Defense (DoD) and related information systems, no matter the size of the business or the type of information they handle. The recommendations must be made by anyone who interacts with these systems, from systems administrators to the Chief Information Officer.
Incorporating CMMC into your existing systems helps clearly define your POA&M (Plan of Action and Milestone) objectives. It allows you to proceed in a structured and organized way that aligns with the U.S. Department of Defense.
Below are examples of industries that may be required to comply with CMMC.
- Aerospace: Organizations involved in the development and manufacturing of aircraft, space vehicles, and related equipment and spare parts used by the defense sector.
- Defense equipment: Businesses that manufacture defense equipment, weapons, vehicles, hardware, etc., used in defense-related products or offer related services.
- IT Services: Companies that provide IT services to DoD organizations, including IT infrastructure maintenance and support, cybersecurity, network support, etc.
- Research & development: Organizations involved in the R&D of new defense-related technologies or products.
- Education: An educational institution that is involved in defense-related research, training, or educational services under DoD contracts.
- Professional services: Any organization that provides services such as consulting, engineering, logistics, and administration.
Read more about who needs CMMC from our detailed article.
Whether your company handles Controlled Unclassified Information (CUI) or not, compliance with CMMC requirements is mandatory for participation in DoD contracts to safeguard any and all related data to DoD.
This makes the certification process quite complicated to set up, but once you understand the scope of the protections, you can develop a proper CMMC program to align your systems with these vital safeguards.
How Long Does CMMC Certification Last?
Each CMMC level varies in effectiveness. A Level 1 CMMC lasts a year and requires an annual self-assessment. A Level 2 certification requires a triennial third-party assessment. Lastly, the effectiveness of a Level 3 CMMC is still to be determined.
Reevaluation ensures that the certified organization keeps up with the evolving standards and the threat landscape.
Continuous monitoring and regular training are keys to maintaining compliance and fostering a strong cybersecurity culture within the organization so that you can achieve the objectives set out at the required CMMC level.
After three years, the organization will need to go through the assessment and certification process again if they wish to continue working on DoD projects. However, note that ongoing compliance is necessary during the three-year period.
Who Issues the CMMC Certification?
An authorized CMMC Third-Party Assessor Organization (C3PAO) assesses whether an organization has implemented the necessary controls as required by the certification level. The C3PAO sends a report to the CMMC Accreditation Body (CMMC-AB) for review. CMMC-AB makes the final decision about issuing the certification.
For CMMC 2.0, self-assessment by the organization would be expected to be sufficient for Level 1 certifications. Self-assessments would also be sufficient for a subset of Level 2 certifications. Third-party assessment would be required for the rest of the Level 2 certifications and all of the Level 3 certifications.
When selecting the best Candidate C3PAO to carry out the certification audit, Jena Andrews, Senior Security Consultant of I.S. Partners, emphasized two questions you need to ask,
“Always ask, ‘Is the assessor familiar with your industry and what other services/SMEs the C3PAO provides/caters to that would be relevant or helpful?’”
Through these questions, you can carefully analyze if a C3PAO is fit to conduct an optimal assessment of your system.
Also, an assessment carried out by government officials would be required for Level 3 certifications. All these assessments will be triennial to ensure that compliance is relevant.
What Is the Interim Rule of CMMC?
According to the interim rule of CMMC, all DoD contractors must conduct a cybersecurity self-assessment and assess whether they have implemented all 110 rules as defined in NIST SP 800-171. This assessment needs to be scored – one point for each implemented control and the highest score of 110. Each control not being implemented or implemented only partially would deduct a point.
When the score is less than 110, DoD contractors need to document a plan to implement the remaining controls in a POA&M (Plan of Action & Milestones). The POA&M would be a living document, constantly updated with details of new controls being implemented and their effectiveness.
The key elements of POA&M include:
- Information about the cybersecurity risk due to the absence of a control or the partial implementation of a control
- The severity of each of the cybersecurity risks identified
- A plan to manage the cybersecurity risks by eliminating it completely or mitigating it
- A cost estimate for managing the cybersecurity risk
- A real-time documentation of the status of each risk
The POA&M should be immediately available upon request from any government authority.
How Much Does CMMC Cost?
A rough estimate of the cost of CMMC Level 2 and Level 3 certification can range from $18,000 to $400,000, sometimes even more. The fees charged by C3PAO can vary.
Hence, it’s a good idea to get quotes from multiple third-party assessors and choose based on the cost as well as the services offered.
The current cost of CMMC depends on several factors. The main factors are:
- Size of the organization
- The complexity of the organization
- Level of certification required
- Fees charged by C3PAO
- Any costs incurred for implementing the required controls
- Costs incurred for procuring technology and personnel to implement controls
Regarding CMMC 2.0, the DoD plans to release a comprehensive cost analysis for each level of CMMC 2.0 as part of rulemaking. However, it is currently anticipated that the costs for CMMC 2.0 will be significantly lower when compared to CMMC 1.0.
CMMC Level 1 certification is based on self-assessment. Assuming that an organization has a good cybersecurity posture, CMMC Level 1 certification will incur a nominal cost. Level 2 and Level 3 certifications would need a more thorough process since these levels are associated with protecting CUI.
What Are the Benefits of CMMC?
Embracing CMMC is becoming essential for organizations to remain viable and grow within the defense sector. CMMC certification has several benefits, which are summarized below.
- Improved cybersecurity posture. Getting CMMC certified involves implementing cybersecurity controls. This improves the cybersecurity posture by establishing best practices and stringent cybersecurity standards.
- Competitive edge. Being CMMC certified gives you an advantage over your competitors by positioning you as an organization that takes cybersecurity seriously.
- Eligibility for DoD contracts. Since most DoD contracts need a CMMC certification, your business can bid for a contract if you are CMMC certified.
- Improved customer confidence. In the current state of rampant cybercrime, CMMC certification helps improve customer trust.
- Regulatory compliance. Complying with CMMC can align your organization with the ever-changing regulatory environment.
CMMC compliance provides strategic and competitive advantages for companies in the DIB. It strengthens cybersecurity, builds trust with the DoD and partners, enables access to contracts, and reduces business risk. The benefits extend across the supply chain, uplifting security for prime contractors down to the smallest subcontractors.
CMMC Compliance Requirements
CMMC compliance can be slightly different for each organization, but the core fundamentals all align with the creation of a system security plan. The latest version, CMMC 2.0, has simplified these levels from five to three, making them easier to grasp.
There are certain CMMC compliance requirements for each level, and the requirements are cumulative.
Level 1 includes 17 security controls under six domains. The six domains are:
- Access control
- Identification and authentication
- Media protection
- Physical protection
- System and communication protections
- System and information integrity
Level 2 compliance includes 110 controls grouped under 14 domains. The 14 domains include the six domains mentioned above. The additional 8 domains are:
- Awareness training
- Configuration management
- Incident response
- Maintenance
- Personnel security
- Risk assessment
- Security assessment
- Audit and accountability
Level 3 CMMC compliance requires 130 controls grouped under 16 domains as well as those under Level 1 and Level 2. The additional two domains are:
- Recovery
- Situational awareness
Please note that even if the domains included in each compliance requirement overlap, the controls under each domain differ for each level.
How to Get Started With CMMC? + Free CMMC Checklist
Complying with CMMC requires a systematic approach. The process involves comprehensive preparation and expert guidance from authorized assessors.
Starting the CMMC audit preparation now can boost your chances of getting CMMC certified without any hassles. Once CMMC 2.0 becomes mandatory, many organizations will try to get certified. Preparing now will give you an advantage over others who might wait until the official rollout.
Here is an 8-step CMMC checklist to provide a clear path toward CMMC compliance.
- Identify the type of information that needs to be protected: Your required CMMC level depends on the type of government data you handle/will handle. Every defense contractor will need at least Level 1 compliance. If your organization handles CUI, it may require either CMMC Level 2 or Level 3.
- Identify the controls to be implemented. Based on the sensitive information, your team will need to identify which internal control measures would be best to protect them. A professional auditor can guide you through the most updated security controls.
- Identify the regulatory requirements to address CMMC compliance. Complying with CMMC requires you to understand the program’s objectives and its requirements fully. Comprehensive understanding can help you streamline the certification process.
- Create relevant documentation. Some of the Level 2 and all of the Level 3 certification requirements would be validated by a third-party assessor. Hence, just having all compliance practices in place is not enough – you need to prepare and maintain documentation. You will need a System Security Plan (SSP) detailing the use of security controls.
- Implement the cybersecurity controls. Upon fully understanding the required controls of CMMC, your team must set up security controls to satisfy these requirements and protect sensitive information. This process includes developing a comprehensive policy list and aligning it with employee practices.
- Create POA&M and SSP. In instances where not all NIST SP 800-171 and CMMC controls can be implemented, documented control deficiencies should be outlined in a Plan of Action and Milestones (POA&M), with a specific action plan aimed at rectifying these issues within 180 days. Additionally, a System Security Plan (SSP) must be prepared, delineating the efficacy of each control in enhancing cybersecurity posture; both the POA&M and SSP are crucial documents subject to scrutiny by CMMC auditors.
- Evaluate the effectiveness of the implemented controls. Ensuring compliance with CMMC requirements requires repeated risk assessments and bridging gaps in your system. Create checklists that will help your team determine your compliance process.
- Monitor and improve controls. Monitoring CMMC controls through tracking key metrics is crucial for understanding long-term trends and identifying areas for improvement. To effectively measure performance and risks, it’s essential to identify relevant Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) aligned with organizational needs and regulatory obligations.
How to Become CMMC Compliant With I.S. Partners?
Getting CMMC certified is a step forward in adhering to the DoD requirements and getting ready to handle DoD projects. However, the process is time-consuming and effort-intensive – especially if you are a complex organization and/or going for CMMC for the first time. The CMMC framework is quite new, and there are several unanswered questions.
I.S. Partners has a team of experts who help take the complexity away from CMMC compliance and certifications. With a deep understanding of compliance requirements and years of experience in managing compliance requirements for various standards, I.S. Partners helps streamline your efforts for CMMC certification.
I.S. Partners takes stock of your compliance posture and performs a gap assessment to identify areas for improvement. The experts also help with creating and updating robust documentation including plans, policies, and process documents. Learn more about how I.S. Partners can help you with CMMC assessments and audits.
Get a Quote or book a free consultation.