What is CMMC Certification? A Comprehensive Guide

Intro to CMMC Certification

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to improve the cybersecurity of organizations working with the defense industry. In view of the increasing cybercrime and billions of dollars worth of losses in data breaches every year, CMMC certification was introduced as a baseline for defense contractors to adhere to a desired level of cybersecurity practices.

CMMC certification can be a challenging feat, especially for small and medium organizations with limited IT resources. So, let’s go over the basics of CMMC and how to go about getting the certification.

Key Takeaways

1. CMMC certification is mandatory for all DoD contractors and suppliers that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Without CMMC compliance, organizations will be disqualified from future DoD contracts.

2. Getting CMMC certified involves self-assessments, implementing security controls, assessments by accredited third-parties, and annual attestations. The certification is valid for 3 years after which organizations have to get re-certified.

3. I.S. Partners provides end-to-end services to help organizations achieve CMMC compliance and certification. With their team of experts, they can perform gap assessments, implement controls, and facilitate assessments and audits required for CMMC certification.

What Is CMMC Certification?

CMMC was officially released in 2020. However, it has undergone several changes since then. Now, as we wait for CMMC 2.0 to be finalized, defense contractors have a lot of questions about CMMC certifications.

CMMC certification simply means adhering to the CMMC framework and getting certified after demonstrating compliance. It applies to all contractors and suppliers within the defense industrial base (DIB). The primary goal of CMMC is to make sure that all contractors and suppliers within the DIB meet specific cybersecurity requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 has not yet been officially rolled out. So, CMMC certification refers to adhering to the CMMC 1.0 guidelines. However, since CMMC 2.0 is expected to become mandatory by October 2025, organizations that are looking to get certified are preparing for the new version of CMMC.

What Are the CMMC Certification Levels?

CMMC certification levels are a set of cybersecurity practices laid down by the DoD. Each level defines how defense contractors handle FCI and CUI and aligns with the required cybersecurity maturity.

CMMC 1.0 certification levels

CMMC1.0 has five different maturity levels. The maturity model is cumulative such that each level has its own practices and processes in addition to those of the level below it. To achieve certification for a specific level, an organization should be able to demonstrate compliance to all preceding levels, too.

CMMC level 1: Basic cyber hygiene

This includes 17 controls from NIST SP 800-171 Rev2. These controls ensure basic cybersecurity practices are followed at the organization.

CMMC level 2: Intermediate cyber hygiene

This includes 46 more controls from NIST SP 800-171 Rev2. All the cybersecurity best practices for this level need to be effectively documented.

CMMC level 3: Good cyber hygiene

This includes the final 47 controls from NIST SP 800-171 Rev 2 in addition to those included in the preceding levels.

CMMC level 4: Proactive cyber hygiene

To achieve this level, organizations need to implement 26 controls from the NIST SP 800-171 Rev B.

CMMC level 5: Advanced cyber hygiene

This is the highest level of cybersecurity and organizations that reach this level are expected to continuously improve and optimize their cybersecurity practices. They must implement all od the controls from NIST SP 800-171 Rev B.

CMMC 2.0 certification levels

CMMC 2.0 is streamlined to have three maturity levels. The certification level you need will depend on the sensitivity of the data you will be handling as part of any DoD contracts. The CMMC certification process involves documentation, meeting compliance requirements, assessments, and attestations, and will be different for each level.

The three levels are:

CMMC level 1: Foundational

This level requires organizations to follow basic cybersecurity practices. Certification can be achieved through an annual self-assessment and attestation by company leadership.

Applicable to: Organizations handling Federal Contract Information (FCI)

CMMC level 2: Advanced

This level requires organizations to follow advanced cybersecurity practices based on NIST SP 800-171 and includes 110 controls. Certification to Level 2 requires triennial assessments by third-party entities and annual attestations. For certain programs, triennial self-assessments and annual attestations also suffice for certifications.

Applicable to: Organizations handling Controlled Unclassified Information (CUI)

CMMC level 3: Expert

CMMC level 3 is based on NIST SP 800-171 and some further requirements such as incident reporting. It is aimed at reducing the risk of advanced threats by adopting cybersecurity best practices. Certification to level 3 requires triennial assessments by government-led entities and annual attestations.

Applicable to: Organizations handling Controlled Unclassified Information (CUI) for DoD programs with the highest priority

Who Needs CMMC Certification?

All DoD contractors, subcontractors, and vendors in the defense supply chain that are required to handle FCI or CUI need a CMMC certification. When CMMC was first introduced, working on a defense project was a preferred requirement. However, CMMC compliance is no longer an option. For any new RFPs and RFIs, CMMC is mandatory. Any organization that is not compliant with CMMC will automatically be disqualified for future DoD contracts.

An important point to note is that disqualification will happen at the time of awarding the contract and not at the RFP stage. Hence, organizations trying for DoD contracts can start now to work on CMMC compliance and get their certification.

Another point to consider regarding CMMC is the evolving threat landscape and how it impacts data security regulations for different industries. Whether you are keen on DoD contracts or not, CMMC has other benefits, too, by helping you with enhanced cybersecurity.

How Much Does CMMC Certification Cost?

The CMMC certification cost depends on the level of the certification and your specific requirements. The higher the CMMC level, the more the cost. CMMC is a recurring cost, requiring annual/triennial assessments and attestations. You will also need to consider the personnel and technology costs required to implement the safeguards.

Due to several factors impacting the cost, various cost estimations are available. However, they all can vary drastically. Typically, the cost of CMMC can be anywhere between $20,000 to $200,000. By some estimates, the cost for Level 1 certifications could be as low as $3,000.

Generally speaking, CMMC is expensive. However, it is expected that the cost for CMMC 2.0 will be lower than CMMC 1.0 since the maturity levels and assessments are streamlined in the new version. The DoD will publish a detailed cost analysis after the final rulemaking of CMMC 2.0 is completed.

How Long Is CMMC Certification Valid?

CMMC certification is valid for three years. However, since CMMC 2.0 Level 1 certification is based on self-assessments, organizations with Level 1 certifications need to carry out self-assessments every year. Organizations with Level 2 and Level 3 certifications will need to get themselves certified every three years.

How to Get CMMC Certification?

Cybercrime cost U.S. citizens over $6.9 billion in 2021. CMMC is the response to the rising stakes of cybercrime. However, the requirements of CMMC can feel daunting, especially for organizations that don’t have a strong foundation in cybersecurity to begin with.

Below are the steps to simplify and streamline the CMMC certification process:

Identify the level of CMMC certification applicable to you. This will depend on the type of data you handle.
Engage a reliable third-party assessment organization through a CMMC-AB (Cybersecurity Maturity Model Certification Accreditation Body).
Perform an initial gap assessment to take stock of your current cybersecurity posture.
Take action to address the findings of the gap assessment and implement necessary changes and safeguards.
Choose an accredited C3PAO (Certified Third-Party Assessment Organization) based on the insights of the gap assessment and the controls implemented. A C3PAO can be found on the CMMC-AB marketplace website.
The C3PAO will facilitate the assessment based on the CMMC certification level selected.
The CMMC-AB reviews the assessment submitted by the C3PAO and once approved, the CMMC certification is issued and is valid for three years.

CMMC Assessment and Certification Process

The CMMC model includes five maturity levels designated ML 1 through ML 5. Each level has progressively greater compliance requirements with respect to NIST 800-171.

ML 1 deals with performance. It has associated practices, but no process requirements.
ML 2 adds documentation requirements. Organizations must establish domain policies and the CMMC practices needed to implement those policies to reach this level.
ML 3 includes management requirements. Organizations must establish, maintain, and provide resources for each of their domains.
ML 4 requires organizations to review the effectiveness of activities within their domains.
ML 5 adds the requirement for contractors to optimize and standardize their approach toward their domains across all organizational units.

How to Stay Compliant with CMMC?

Once CMMC 2.0 comes into effect, compliance can be maintained through annual self-assessment. For Level 2 compliance, triennial assessments by a C3PAO would be needed. Similarly, for Level 3 compliance, triennial assessments by a government body would be required.

Why Is CMMC Certification Important?

In the context of the defense industry and organizations that handle sensitive information, CMMC certification is important. Below is a summary of the benefits of CMMC.

Eligibility for DoD contracts

Many DoD contracts now include mandatory CMMC requirements. Being CMMC certified lets you bid on new contracts and continue your eligibility for existing DoD contracts.

Better cybersecurity posture

Since CMMC compliance requires organizations to employ cybersecurity best practices and implement safeguards, it helps in achieving an enhanced cybersecurity posture and reduces the risk of cyberattacks.

Improved incident response

CMMC focuses on better incident response and reporting practices, thus pushing organizations that seek certifications to implement processes for effective incident response. Organizations that comply with CMMC have better processes to identify, respond to, and recover from security incidents.

Adaptable cybersecurity

CMMC undergoes changes based on the threat landscape and data security requirements. Thus, organizations seeking certification are encouraged to adapt and improve their cybersecurity practices.

DIB supply chain integrity

CMMC certification ensures that all organizations adhere to specific cybersecurity requirements for contractors and subcontractors within the DIB supply chain. This reduces the risk of weak links in the supply chain, enhancing overall security.

Better credibility

CMMC is based on existing cybersecurity frameworks like NIST and ISO 27001. Thus, getting CMMC certified helps streamline regulatory compliance. It also demonstrates your commitment to cybersecurity thus boosting credibility with all stakeholders.

What Is the CMMC Timeline?

CMMC 1.0 was introduced on 31 January 2020.
CMMC 2.0 was announced in November 2021.
NPRM (Notice of Proposed Rulemaking) was announced in May 2023.
Currently, rulemaking is in progress.
The expected date by which organizations will need to comply with CMMC 2.0 is October 2025 (subject to change).

CMMC timeline

How Can You Prepare for CMMC?

CMMC certification is a tall order for most organizations due to the effort, time, and resources needed for compliance and the certification process. The CMMC framework is also relatively new which makes it difficult for organizations to pursue compliance without expert guidance.

Thus, it is always a good idea to engage with a reliable service provider who can help you navigate the complex CMMC certification process. I.S. Partners, with its team of experts, helps you by streamlining the steps for CMMC certification. With years of experience in the security and compliance domain, ISP is a trusted partner to get you started on achieving CMMC compliance and getting certified. Learn more about how I.S. Partners can help you with CMMC assessments and audits.

I.S. Partners is now CMMC certified. Learn more about our complete CMMC compliance services.

FAQs About Cybersecurity Maturity Model Certification

How Is CMMC Certification different from NIST SP 800-171?

The US government is using CMMC certification as a vehicle to audit compliance with NIST SP 800-171, a publication that recommends requirements for protecting CUI. DoD contractors have been required to comply with NIST SP 800-171 since January 1, 2018, but the levels of adoption have remained low since then. CMMC was created to remedy this problem, ultimately affecting over 200,000 contractors even by the most conservative estimate.

Even if contractors comply with CMMC, it doesn’t mean they comply with all NIST SP 800-171 requirements. NIST 800-171 includes 110 CUI controls in addition to 63 Non-Federal Organization (NFO) controls. Contractors still need to comply with both the CUI and NFO controls, even though NIST 800-171 primarily focuses on the storage, transmission, and processing of CUI.

What Does it Mean to be Compromised?

Section 252.204-7012 the Defense Federal Acquisition Regulation Supplement (DFARS) describes a cyber incident as an action taken on a DOD contractor’s information system that results in an actual or potentially adverse effect on the data it contains. This broad definition includes actions taken by DoD contractors themselves and unauthorized intruders. In other words, a cyber incident includes any action performed by any party that could have compromised DoD data, even if it didn’t actually do so.

The compromise of a contractor’s information system doesn’t automatically result in the loss of certification. However, it does appear at this that the DoD will authorize program managers to require recertification from the contractor if they feel it’s necessary. It’s still unclear how the DoD will impose this obligation and what standard it will use to determine that recertification is necessary.

Get a Quote Try our Compliance Checker

About The Author

Philip LaRocca

Comment on this article Cancel Reply

You must be logged in to post a comment.

Sign in or create an account with:

Related Content

Gain Deeper Insights

prepare for cmmc deadline

CMMC, Compliance & Certification

How to Prepare for CMMC Deadline? CMMC Audit Checklist

Anthony Jones

February 14, 2024

When will cmmc 2.0 go into effect?

CMMC, Government

When Will CMMC 2.0 Go into Effect?

Anthony Jones

February 14, 2024

developers working on cybersecurity, CMMC compliance

CMMC, Compliance & Certification, Government

Ultimate Guide to CMMC | CMMC Compliance Checklist

Anthony Jones

September 26, 2023

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.