The Cybersecurity Maturity Model Certification (CMMC) is a framework used by the U.S. Department of Defense to ensure its contractors and subcontractors are capable of protecting the controlled unclassified information (CUI) and federal contract information (FCI) they handle in their daily operations.
Lately, the CMMC framework has seen significant revisions, condensing five compliance levels to just three and aligning cybersecurity best practices to other industry standards, such as NIST. While the CMMC has changed, the need for CMMC compliance has not. Businesses and organizations that form the Defense Industrial Base still have an obligation to meet their CMMC compliance requirements in order to win new contracts and renew existing contracts.
How Has CMMC Certification Changed?
The DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 more closely aligns with NIST 800-171 — a cybersecurity standard used in private and public sectors — than the previous CMMC program. The DoD’s 2.0 maturity model assesses contractors’ cybersecurity capabilities for protecting controlled unclassified information (CUI) and federal contract information (FCI).
Exploring the New CMMC Certification Levels
The original CMMC framework had five levels of certification ranging from basic cybersecurity postures to sophisticated technologies to stop Advanced Persistent Threats (APTs). Release 2.0 reduces the certification levels to three by eliminating transition levels two and four.
Each level outlines its own CMMC compliance requirements, and which level an organization needs to meet depends on the type of data it handles and the cyber threats it faces.
The three new CMMC certification levels are as follows:
- Foundational: Level 1 only applies to companies with FCI data. Protecting the information requires 17 controls for the basic safeguarding of FCI data. It focuses on reducing user access, storing protected materials, and restricting physical access. To achieve CMMC compliance, organizations must regularly self-assess their cybersecurity practices.
- Advanced: Level 2 includes protecting CUI data. The framework uses NIST 800-171, with its 14 security levels and 110 security controls. Level 2 organizations must seek independent assessments from a third party.
- Expert: Level 3 reduces the risk of successful APTs. These requirements establish a framework for defending against ongoing threats from cybercriminals. Organizations that fall into this category need regular government assessments of their cybersecurity posture.
CMMC is a maturity model, meaning that companies are evaluated on a continuum of cybersecurity capabilities. Instead of producing a requirements document with a set date for compliance, the maturity model assesses compliance on a continuum of increasing cybersecurity capabilities.
What Is CMMC Certification?
CMMC certification assesses contractors’ cybersecurity capabilities. Based on where a company is on its security journey, the requirements vary. However, the farther along a business is on the journey, the more stringent the standards.
CMMC requirements align with the different CMMC compliance levels. The CMMC compliance requirements for each level are as follows:
Foundational
Level 1 CMMC certification requires contractors to complete a self-assessment and identify the people and facilities that store, use, or transmit FCI data. In addition, they must identify the technology used to protect the FCI at rest and in transit. Companies must also check that their supply chain vendors’ access to their systems complies with DoD requirements.
Advanced
Certification at Level 2 requires a third-party assessment. Contractors must be assessed by accredited CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC assessors. The accredited or certified entities have completed a rigorous process for evaluating a contractor’s CMMC compliance.
Under some circumstances, CMMC L2 organizations can self-assess, but only for select programs.
Expert
Certification requirements for Level 3 are far more complex because organizations in this category must protect themselves and their sensitive data from Advanced Persistent Threats (APTs).
In addition to adhering to 110 requirements from NIST SP 800-171 r2 standards, organizations must also adhere to 24 additional requirements from 800-172. Assessments are performed not by a C3PAO but rather by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
How to Become CMMC Certified
The first step in the certification process is to read CMMC 2.0 and identify where your business fits in the maturity model. Then, assess where you stand concerning CMMC compliance requirements with a vulnerability assessment, which shows the gaps in your cybersecurity practices and provides a roadmap for preparing for CMMC certification and compliance.
Complying with CMMC can take months to complete. CMMC 2.0 is being rolled out by the DoD across its contracts throughout 2025, with all contracts expected to include CMMC 2.0 requirements by 2026.
If your organization needs a third-party assessment for certification, you need to start looking for one now. Because auditors must go through a certification process to become accredited, the number of providers is limited, and lead times can become very long.
What happens if you fail a CMMC compliance assessment?
Failing an audit requires remediation. First, your business must correct the deficiencies and request a retest. But this process takes time and money. It’s more cost-effective to conduct internal assessments until you are comfortable with your cybersecurity model. Only then should you request a test date.
How to Find a Partner for Your Cybersecurity Maturity Model Certification Process
Reading through pages of requirements on everything from physical security to compliance reporting can be overwhelming. Deciding on a path to achieve CMMC compliance can feel impossible. It can also be costly; for example, actions such as vulnerability and pen testing should be performed with specialized automated tools.
As an authorized C3PAO, Cask Government Services has years of experience servicing government agencies and their contractors. We have the tools and expertise to guide you through the CMMC certification process from beginning to end. Contact us today to discuss how to achieve certification and stay competitive in the defense industry.
FAQs
What is CMMC and why is it important?
The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the U.S. Department of Defense to ensure that contractors can protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC compliance is crucial for businesses wishing to secure and renew contracts with the Defense Department, as it ensures proper cybersecurity practices are in place.
How has the CMMC certification framework changed recently?
CMMC has been updated to CMMC 2., which simplifies the model from five levels to three, aligning more closely with NIST 800-171 standards. The framework revisions focus on maintaining cybersecurity best practices and streamlining requirements to protect sensitive information.
What are the new CMMC certification levels?
CMMC 2. has three certification levels:
- Foundational (Level 1): Basic safeguarding for FCI data, requiring regular self-assessments.
- Advanced (Level 2): Protects CUI data, involving third-party assessments when necessary.
- Expert (Level 3): Defends against Advanced Persistent Threats (APTs) with government-led assessments.
What steps should a business take to become CMMC certified?
To become CMMC certified, a business should first identify where it fits within the CMMC 2. maturity model. Next, perform a vulnerability assessment to identify cybersecurity practice gaps. Businesses needing Level 2 or 3 certification must seek independent third-party assessments or government assessments. Early preparation is recommended due to the limited number of accredited assessors and the rolling implementation of CMMC 2. through 2025.