top of page
  • Eric Brackett

What is CMMC & How to Achieve CMMC Compliance

What is CMMC Compliance design.

The Cybersecurity Maturity Model Certification (CMMC) is the ultimate assessment standard for defense contractors to ensure the safety of sensitive defense information. This 2023 CMMC compliance will become a must if you:

  • Work with federal authorities

  • Handle Controlled Unclassified Information (CUI)

  • Handle Federal Contract Information (FCU)

In this blog, you will learn the key components of the CMMC compliance and what you need to do to get your CMMC certification.

Table of contents:

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program designed by the Department of Defense (DoD) aimed at standardizing cybersecurity practices to protect Controlled Unclassified Information (CUI) and FCI (Federal Contract Information) within the defense industrial base (DIB).

This program ensures a consistent and robust approach to cybersecurity across the board, making it easier for organizations to understand. Contractors will be required to meet one of the three CMMC levels depending on the sensitivity of the information they handle.

What are The Objectives of CMMC Compliance?

CMMC compliance aims to achieve 3 key objectives:

  • Protect sensitive defense information from cyber-attacks and nation-state actors

  • Create a unifying cybersecurity standard for defense contractors

  • Ensure accountability for defense companies that are responsible for protecting government data

What are The Levels of CMMC Certifications?

Initially, a CMMC certification (CMMC 1.0) had 5 levels. The new CMMC 2.0 reworked those levels reducing the number of levels from 5 to 3. If you wish to work as a federal contractor, you must comply with one of these 3 levels depending on the information your company will handle.

CMMC Levels


Supported by

CMMC Level 1 (Foundational)

CMMC level 1 looks to protect covered contractor information systems and limit access to authorized users, and it applies to companies that focus on the protection of federal information.

FAR 52.204-21

Level 2 (Advanced)

​CCMC Level 2 is designed for companies that work with Controlled Unclassified Information (CUI). CMMC Level aligns with 110 controls and 14 control families created by NIST to protect controlled classified info.

NIST SP 800-171

CMMC Level 3 (Expert)

CMMC Level 3 (Expert) is all about reducing the risk of Advanced Persistent Threats (APTs). It's specifically designed for companies handling CUI on the DoD's most critical programs.

While the specific security requirements for Level 3 are still being determined by the DoD, they will be based on a combination of NIST SP 800-171's 110 controls and a subset of NIST SP 800-172 controls.

This means a total of 130 controls, aligned with the same 14 control families in NIST 800-171, with an extra 20 controls from NIST 800-172.

NIST SP 800-172

What Are the CMMC Compliance Requirements?

CMMC compliance requirements are built on the trusted NIST (National Institute of Standards and Technology) framework, specifically the SP 800-171 guidelines.

CMMC Level 1

CMMC Level 1 requires you to comply with 15 requirements in the SP 800-171.

CMMC Level 2

To achieve CMMC level 2, applicants must meet a total of 110 requirements determined by a third-party assessment.

CMMC Level 3

CMMC Level 3 is the highest level of compliance that can be achieved in the cybersecurity maturity model certification. CMMC Level 3 requires you to exceed all the SP 800-171 requirements as determined by a government-led assistant.

Who Needs a CMMC Certification?

Starting in 2026, all defense contractors that work with or wish to work with the Department of Defense (DoD), except for those managing Commercial Off the Shelf, will need a CMMC certification.

CMMC Level 1

If your company deals with FCI and has a FAR 52.204-21 provision in its contract, you will only need to achieve CMMC Level 1. No 3rd party certifications are needed! Instead, simply identify the individuals, technology, facilities, and external providers involved in processing, storing, or transmitting FCI within your environment.

Once a year, self-certify that you meet the basic safeguarding requirements outlined in the FAR clause.

CMMC Level 2

If your contract includes a DFARS 7021 clause and you handle Controlled Unclassified Information (CUI), achieving CMMC level 2 is a must. All organizations aiming for level 2 must undergo annual self-assessments and a formal assessment by an accredited C3PAO (Certified CMMC Assessor) every three years.

CMMC Level 3

This level requires meeting specific security requirements outlined in NIST SP 800-171, along with additional requirements from NIST SP 800-172. Companies with a DFARS 7021 clause in their contract fall into this category.

While the assessment process for level 3 compliance is still being determined by the DoD, one thing is clear: a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit is necessary for achieving compliance.

My Company Is Already NIST Compliant, Do I Need to Achieve CMMC Compliance?

According to industry expert Stacy Bostjanick, CMMC and NIST 800-171 are cut from the same cloth. CMMC compliance is simply a validation program that ensures organizations are following the already agreed-upon requirements of NIST 800-171 on their existing networks.

Companies can no longer assess their own compliance under CMMC. Third-party assessments are the new rule. CMMC assessments will be conducted by C3PAOs (CMMC Third Party Assessment Organizations). These assessments guarantee an unbiased evaluation of your company's adherence to controls.

If certain controls cannot be met during the assessment, limited time Plan of Action and Milestones (POAMs) may be granted. However, this privilege is only granted selectively and does not extend to the more difficult controls. It's important to note that all POAMs must be resolved within 180 days, making them a useful tool for improving CMMC accessibility but not a standalone CMMC solution.

What’s the Cost of CMMC Compliance?

There are multiple key factors that influence the cost of your CMMC certification:

Your Companies Size

When it comes to CMMC compliance, the organization's size does matter, but it's the number of employees accessing CUI that truly drives the overall costs. To effectively manage the compliance boundary and minimize expenses, organizations must prioritize limiting employee and technology access to CUI.

Existing and Future Compliance Needs

Starting from scratch? Expect higher costs and longer timelines. Companies that are already ahead of the game have an advantage, but that doesn't mean you can't catch up. Assess the maturity of your documentation, technology, and current processes to determine your starting point.

Technology and Policy Implementation

As you strive for CMMC compliance, it's important to strike a balance between policy and technology implementation. While technology plays a vital role, it's crucial to be mindful of your budget. We understand that implementing various technologies can quickly drive-up costs. Some of the pricier tools to implement include:

  • Vulnerability Scanning Tools

  • SIEM (Security Information & Event Management)

  • FIPS 140-2 validated tools.

Consulting, and Operational Costs

Consulting costs are a major part of any organization's budget. From policy and procedure creation to documentation and gap analysis, these expenses can quickly add up. The pricing of consulting services, your technology solutions, software, and more will vary depending on your organization’s size and maturity.

CMMC Compliance Checklist

The following CMMC compliance checklist will give you an understanding of where your organization is and where it needs to go to achieve compliance.

  1. Determine what level of compliance you need

  2. Delegate who will oversee CMMC Compliance

  3. Identify where CIU is in your environment

  4. Limit Access To CIU, allow only authorized personnel

  5. Determine what technologies are needed to achieve CMMC Compliance

  6. Ensure your organization has robust policies and documentation processes

  7. Create a Plan of Action and Milestones (POA&M) for the items and technologies you were not able to meet and create a plan

  8. Conduct a Self-Assessment following NIST 800-171A Guidelines

  9. Eliminate Security Gaps

  10. Prepare yourself and schedule a CP30 to conduct an assessment

  11. Following this CMMC compliance checklist will ensure your organization excels with today's compliance requirements.

BTI: The CMMC Consultant Your Business Needs.

Looking for a seasoned CMMC consultant who can help your organization achieve compliance, no matter your industry? Trust BTI, with decades of experience in providing expert guidance.

Join the organizations that have chosen BTI as their go-to CMMC Consultant. Ready to surpass your industry compliance requirements? Get in touch with us today to schedule your free business assessment.



bottom of page