What is CMMC & How to Achieve CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) is the ultimate assessment standard for defense contractors to ensure the safety of sensitive defense information. This 2023 CMMC compliance will become a must if you:
Work with federal authorities
Handle Controlled Unclassified Information (CUI)
Handle Federal Contract Information (FCU)
In this blog, you will learn the key components of the CMMC compliance and what you need to do to get your CMMC certification.
Table of contents:
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a program designed by the Department of Defense (DoD) aimed at standardizing cybersecurity practices to protect Controlled Unclassified Information (CUI) and FCI (Federal Contract Information) within the defense industrial base (DIB).
This program ensures a consistent and robust approach to cybersecurity across the board, making it easier for organizations to understand. Contractors will be required to meet one of the three CMMC levels depending on the sensitivity of the information they handle.
What are The Objectives of CMMC Compliance?
CMMC compliance aims to achieve 3 key objectives:
Protect sensitive defense information from cyber-attacks and nation-state actors
Create a unifying cybersecurity standard for defense contractors
Ensure accountability for defense companies that are responsible for protecting government data
What are The Levels of CMMC Certifications?
Initially, a CMMC certification (CMMC 1.0) had 5 levels. The new CMMC 2.0 reworked those levels reducing the number of levels from 5 to 3. If you wish to work as a federal contractor, you must comply with one of these 3 levels depending on the information your company will handle.
CMMC Level 1 (Foundational)
CMMC level 1 looks to protect covered contractor information systems and limit access to authorized users, and it applies to companies that focus on the protection of federal information.
Level 2 (Advanced)
CCMC Level 2 is designed for companies that work with Controlled Unclassified Information (CUI). CMMC Level aligns with 110 controls and 14 control families created by NIST to protect controlled classified info.
NIST SP 800-171
CMMC Level 3 (Expert)
CMMC Level 3 (Expert) is all about reducing the risk of Advanced Persistent Threats (APTs). It's specifically designed for companies handling CUI on the DoD's most critical programs.
While the specific security requirements for Level 3 are still being determined by the DoD, they will be based on a combination of NIST SP 800-171's 110 controls and a subset of NIST SP 800-172 controls.
This means a total of 130 controls, aligned with the same 14 control families in NIST 800-171, with an extra 20 controls from NIST 800-172.
NIST SP 800-172
What Are the CMMC Compliance Requirements?
CMMC compliance requirements are built on the trusted NIST (National Institute of Standards and Technology) framework, specifically the SP 800-171 guidelines.
CMMC Level 1
CMMC Level 1 requires you to comply with 15 requirements in the SP 800-171.
CMMC Level 2
To achieve CMMC level 2, applicants must meet a total of 110 requirements determined by a third-party assessment.
CMMC Level 3
CMMC Level 3 is the highest level of compliance that can be achieved in the cybersecurity maturity model certification. CMMC Level 3 requires you to exceed all the SP 800-171 requirements as determined by a government-led assistant.
Who Needs a CMMC Certification?
Starting in 2026, all defense contractors that work with or wish to work with the Department of Defense (DoD), except for those managing Commercial Off the Shelf, will need a CMMC certification.
CMMC Level 1
If your company deals with FCI and has a FAR 52.204-21 provision in its contract, you will only need to achieve CMMC Level 1. No 3rd party certifications are needed! Instead, simply identify the individuals, technology, facilities, and external providers involved in processing, storing, or transmitting FCI within your environment.
Once a year, self-certify that you meet the basic safeguarding requirements outlined in the FAR clause.
CMMC Level 2
If your contract includes a DFARS 7021 clause and you handle Controlled Unclassified Information (CUI), achieving CMMC level 2 is a must. All organizations aiming for level 2 must undergo annual self-assessments and a formal assessment by an accredited C3PAO (Certified CMMC Assessor) every three years.
CMMC Level 3
This level requires meeting specific security requirements outlined in NIST SP 800-171, along with additional requirements from NIST SP 800-172. Companies with a DFARS 7021 clause in their contract fall into this category.
While the assessment process for level 3 compliance is still being determined by the DoD, one thing is clear: a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit is necessary for achieving compliance.
My Company Is Already NIST Compliant, Do I Need to Achieve CMMC Compliance?
According to industry expert Stacy Bostjanick, CMMC and NIST 800-171 are cut from the same cloth. CMMC compliance is simply a validation program that ensures organizations are following the already agreed-upon requirements of NIST 800-171 on their existing networks.
Companies can no longer assess their own compliance under CMMC. Third-party assessments are the new rule. CMMC assessments will be conducted by C3PAOs (CMMC Third Party Assessment Organizations). These assessments guarantee an unbiased evaluation of your company's adherence to controls.
If certain controls cannot be met during the assessment, limited time Plan of Action and Milestones (POAMs) may be granted. However, this privilege is only granted selectively and does not extend to the more difficult controls. It's important to note that all POAMs must be resolved within 180 days, making them a useful tool for improving CMMC accessibility but not a standalone CMMC solution.
What’s the Cost of CMMC Compliance?
There are multiple key factors that influence the cost of your CMMC certification:
Your Companies Size
When it comes to CMMC compliance, the organization's size does matter, but it's the number of employees accessing CUI that truly drives the overall costs. To effectively manage the compliance boundary and minimize expenses, organizations must prioritize limiting employee and technology access to CUI.
Existing and Future Compliance Needs
Starting from scratch? Expect higher costs and longer timelines. Companies that are already ahead of the game have an advantage, but that doesn't mean you can't catch up. Assess the maturity of your documentation, technology, and current processes to determine your starting point.
Technology and Policy Implementation
As you strive for CMMC compliance, it's important to strike a balance between policy and technology implementation. While technology plays a vital role, it's crucial to be mindful of your budget. We understand that implementing various technologies can quickly drive-up costs. Some of the pricier tools to implement include:
Vulnerability Scanning Tools
SIEM (Security Information & Event Management)
FIPS 140-2 validated tools.
Consulting, and Operational Costs
Consulting costs are a major part of any organization's budget. From policy and procedure creation to documentation and gap analysis, these expenses can quickly add up. The pricing of consulting services, your technology solutions, software, and more will vary depending on your organization’s size and maturity.
CMMC Compliance Checklist
The following CMMC compliance checklist will give you an understanding of where your organization is and where it needs to go to achieve compliance.
Determine what level of compliance you need
Delegate who will oversee CMMC Compliance
Identify where CIU is in your environment
Limit Access To CIU, allow only authorized personnel
Determine what technologies are needed to achieve CMMC Compliance
Ensure your organization has robust policies and documentation processes
Create a Plan of Action and Milestones (POA&M) for the items and technologies you were not able to meet and create a plan
Conduct a Self-Assessment following NIST 800-171A Guidelines
Eliminate Security Gaps
Prepare yourself and schedule a CP30 to conduct an assessment
Following this CMMC compliance checklist will ensure your organization excels with today's compliance requirements.
BTI: The CMMC Consultant Your Business Needs.
Looking for a seasoned CMMC consultant who can help your organization achieve compliance, no matter your industry? Trust BTI, with decades of experience in providing expert guidance.
Join the organizations that have chosen BTI as their go-to CMMC Consultant. Ready to surpass your industry compliance requirements? Get in touch with us today to schedule your free business assessment.