What is CMMC and Who Needs To Comply?


In late 2020, the US Department of Defense announced a transition to a new certification program for all contractors working with Controlled Unclassified Information (CUI). Compliance is mandatory for all manufacturers and will require an assessment from a CMMC third-party assessment organization (C3PAO).

The good news is the new certification program will ensure your business meets all of its security protocols and that no cybersecurity measures slip through the cracks. But don’t wait to get started. It is a long and involved process, and you should begin preparing your business for your assessment as soon as possible.

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a new certification program for all DoD manufacturing contractors that work with CUI. It comprises of three different levels that gauge your business’s cybersecurity hygiene from Foundational to Expert. CMMC 2.0 is the latest version of the model, which was announced on July 17, 2021. It replaces the previous five levels of cybersecurity compliance with three levels that rely on well established NIST cybersecurity standards.

Why is CMMC DoD compliance important?

Mandatory compliance

Compliance with the previous Defense Federal Acquisition Regulations System (DFARS) was a self-assessment process, which meant your business was responsible for maintaining the required security protocols. This resulted in a lot of confusion and poorly managed compliance. The new program has mandatory third-party certification; the consequence of noncompliance is being unable to work with the DoD as a contractor. You must complete your certification before you can even bid on contracts. This means it’s vitally important to prepare well in advance for CMMC to ensure you avoid costly delays.

Increase in cybercrimes

Cybercrimes have been on a steady rise for as long as the internet has existed, and 2019 showed the largest number of complaints ever reported and the highest amount of money stolen, according to the FBI’s Internet Crime Report. What’s more, data shows that the 2020 COVID-19 crisis has only urged cybercriminals forward as they take advantage of the fear and uncertainty the pandemic has caused.

Controlled Unclassified Information (CUI) is a distinction given to information that’s not quite top secret—but only just. The US government cannot risk CUI falling into hostile hands. With the increase in cybercrimes, coupled with many contractors’ lack of compliance, the government determined the risks were too high to let companies continue to self-regulate.

Who needs to be certified and how does it apply to manufacturers?

Any manufacturer or contractor that is contracted by the DoD and handles CUI in any capacity is currently required to conform with the National Institute of Standards and Technology (NIST) 800-171 regulations that were laid out in DFARS. So, your business should already be well on its way to complying with CMMC.

DFARS contained three levels of security clearance; CMMC also has three. If your business is small and your handling of CUI negligible (you’re only handling FCI), the first couple of levels of CMMC will be similar to your DFARS obligations and you may not need to meet any new security requirements to pass compliance. On the other hand, if your business is larger and you’re handling CUI, you may need to comply with more stringent cybersecurity requirements than were previously outlined in DFARS.

CMMC 2.0 levels

CMMC 2.0 consists of three levels. Level 1 contains fewer requirements than are outlined in NIST SP 800-171/DFARS, while Levels 2 & 3 encompasses all 110 security requirements defined in NIST 800-171/DFARS, and more.

Level 1: Foundational – Basic Cyber Hygiene: This level focuses on safeguarding Federal Contract Information (FCI) and requires the implementation of 17 basic cybersecurity practices.

Level 2: Advanced – Intermediate Cyber Hygiene: This level builds upon Level 1 and requires the implementation of additional cybersecurity practices to protect Controlled Unclassified Information (CUI). These additional practices align with all 110 controls of NIST SP 800-171.

Level 3: Expert –  Good Cyber Hygiene: This level builds upon Level 2 and requires the implementation of good cybersecurity practices to protect CUI and Controlled Technical Information (CTI) by implementing NIST SP 800-172, which supplements NIST SP 800-171 to mitigate attacks from advanced cyber threats. In addition, 20 additional practices must be implemented.

Which CMMC level do you need to comply with?

The level of required certification is based on the company’s ability to protect and safeguard sensitive government information through its adherence to specific cybersecurity controls and practices. The certification level required for a company will depend on the nature of the information that it handles and the requirements of the contracts it seeks to win.

Level 1 is the lowest level and is required for contractors who handle Federal Contract Information (FCI), which is information not intended for public release but is not considered sensitive. This level includes basic safeguarding requirements and is intended for contractors who do not generally deal with Controlled Unclassified Information (CUI).

Level 2 is required for contractors who handle FCI and also involves intermediate safeguarding requirements. This level may apply to contractors who are further along in their cybersecurity maturity journey and who have more complex needs than those at Level 1.

Level 3 is required for contractors who handle CUI and involves more advanced safeguarding requirements. This level includes all of the practices in Levels 1 and 2, as well as additional security controls to protect CUI.

CMMC timeline: When will compliance become a requirement?

Exact dates are unknown at this time, and the rollout of CMMC has been delayed or changed already a few times.

CMMC news and updates can be found on the CMMC AB website.

How to obtain the CMMC certification for your organization

CMMC compliance is through assessment by an accredited CMMC third-party assessment organization (C3PAO). You need to begin preparing as soon as possible. Depending on your current cybersecurity status, it could take many months to make your business compliant. We recommend manufacturers begin preparing six months in advance.

Registered Provider Organizations

In its efforts to help contractors meet the new compliance obligations, and raise the cybersecurity-hygiene bar, the DoD authorizes organizations to provide CMMC consulting and support. Known as Registered Provider Organizations (RPOs), they must be staffed by registered CMMC Practitioners who are trained in CMMC methodologies and trusted by the DoD to provide CMMC assessment preparation. Partnering with an RPO will greatly simplify and accelerate your compliance, because they are able to identify your organization’s cybersecurity gaps and the quickest ways to fill them.

When you and your RPO feel your business is ready to be assessed, visit the CMMC Marketplace to find an accredited C3PAO. Schedule an audit, and they will perform an assessment of your cybersecurity protocols. If your business meets each of the required security controls, you will earn the applicable level of CMMC certification and the right to bid on DoD contracts.

CMMC compliance with a COUPLE of GURUS

As we have Registered Practitioners (RP) on staff, we can ensure your organization is ready to pass the CMMC audit, whether you are applying for Level 1 or Level 3.

a COUPLE of GURUS offers managed IT services that proactively care for your technology needs. We have over 18 years of experience helping businesses like yours with IT projects, cybersecurity and compliance, cloud services, and managed IT services.

Contact a COUPLE of GURUS with your questions about achieving CMMC compliance. We can clarify the new regulations and prepare your business for any level of CMMC audit.