CMMC Compliance: What You Need to Know for CMMC 2.0

Last Updated: October 28, 2024

Cybersecurity Maturity Model Certification (CMMC) is a critical framework for protecting sensitive information within the defense industrial base (DIB). With the transition to CMMC 2.0, organizations that do business with the Department of Defense (DoD) must ensure they meet evolving cybersecurity standards. 

Whether you are a contractor or a small business owner working with DoD-related projects, achieving CMMC compliance is now more streamlined but remains vital to maintaining contracts and avoiding security risks. 

In this blog, we’ll break down the key components of CMMC 2.0, explore what’s changed, and guide you through what your organization needs to do to meet CMMC compliance requirements and achieve CMMC certification in this new era of defense contracting.

📢 IMPORTANT CMMC 2.0 NEWS

CMMC 2.0 Final Rule Released: New Compliance Standards Set To Begin Next Year

Starting in 2025, the Department of Defense will begin to implement its requirement that all defense contractors be CMMC compliant at the time a contract is awarded. However, in order to avoid a scramble to meet the new regulations with little notice, those requirements will become mandatory after a three-year phase-in period.

The recently released final rule, CFR Part 170, officially establishes CMMC 2.0 effective December 16, 2024.

CMMC 2.0 Will Eventually Be Required For DFARS

The DoD’s follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025. More information on the timing of the proposed DFARS rule can be found at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202404&RIN=0750-AK81.

On August 15, 2024, DoD issued a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS). If enacted, the rule would revise certain DFARS provisions and create new provisions to establish CMMC policies and solicitation and contract requirements. You can learn more in this article from Arnold & Porter.

CMMC assessments will start in Q1 2025, but a limited number of Certified Third-Party Assessment Organizations (C3PAOs) are available to assess, so you should expect delays in the third-party CMMC certification process. If you want to quality for certain DoD contracts when CMMC 2.0 takes effect, you must start the CMMC assessment process immediately.

“After the phase-in period, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services (except those exclusively for COTS items), valued at greater than the micro-purchase threshold that involve processing, storing, or transmitting FCI or CUI. 

When a CMMC level is included in the solicitation or contract, contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the results of a current certification or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements to be identified at 32 CFR part 170, in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance. 

Furthermore, CMMC certification requirements must be flowed down to subcontractors at all tiers when the subcontractor will process, store, or transmit FCI or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements to be established at 32 CFR part 170 (see 88 FR 89058).”

industrialcyber.co, August 2024

For more information and updates on CMMC 2.0, see this page from the Federal Register.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of contractors working within the Defense Industrial Base (DIB). It safeguards Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by ensuring contractors implement specific cybersecurity practices and processes.

Since 2017, any organization that handles CUI has a DFARS 252.204-7012 clause in its contract that requires it to comply with NIST SP 800-171. The previous system relied heavily on self-assessments; unfortunately, genuine compliance with requirements was weak. 

The CMMC framework was introduced to address this concern, with various assessment mechanisms to verify compliance with DoD security requirements.

CMMC 2.0 is a proposed rule that is steadily progressing through the federal rulemaking process—and took a huge leap forward with the publication of the CMMC Proposed Rule in the Federal Register in December 2023. CMMC compliance requirements will appear in defense contracts in late 2024 or early 2025.

Unlike FedRAMP, which is required for nearly all contractors, CMMC is only required for DoD-preferred defense contractors. The CMMC framework was designed to increase “cyber hygiene” of defense contractors via the maturation of processes and practices—moving from a self-assessment to a third-party assessor model—after a series of breaches in the supply chain. 

On December 31, 2020, the General Services Administration noted that while CMMC currently only applies to the Department of Defense, all government contractors—civilian or military—should prepare to meet CMMC requirements.

What is CMMC 2.0?

CMMC 2.0 builds on the original CMMC framework but is more directly aligned with NIST SP 800-171 for Level 2 and NIST SP 800-172 for Level 3, focusing on existing federal cybersecurity standards. CMMC 2.0 also no longer requires third-party assessment for Level 1. Instead, Level 2 involves a mix of third-party assessments and self-assessments depending on the sensitivity of the CUI, and Level 3 requires government-led assessments.

Key Changes in CMMC 2.0

• Reduced Number of Levels: CMMC 2.0 consolidates the previous five levels into three, simplifying the CMMC certification process.
• Adoption of NIST Standards: CMMC 2.0 aligns more closely with established NIST standards, making it easier for organizations familiar with these standards to comply.
• Self-Assessment for Some Levels: Level 1 and potentially some Level 2 requirements will only require annual self-assessments, rather than third-party assessments, which reduces the cost and complexity for many organizations.
• Third-Party Assessments for Higher Levels: Level 2 and Level 3 will still require third-party assessments, ensuring thorough evaluation for contractors handling sensitive information.

The three levels of CMMC 2.0 are:

• Level 1 (Foundational): An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). 
• Level 2 (Advanced): An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes
• Level 3 (Expert): An organization must have standardized and optimized processes alongside enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs)

The final rule for CMMC 2.0 was published on December 23, 2023. CMMC assessments are expected to start in Q1 2025, and the phased rollout of CMMC in contracts is expected to begin in Q3 2025.   

CMMC 2.0 vs NIST 800-171

CMMC Level 2 security controls align with the 110 security controls stipulated in NIST SP 800-171 Rev 2. If your organization handles CUI, then you are currently obligated to implement the NIST SP 800-171 security controls per DFARS 252.204-7012.1

What are the Benefits of Cybersecurity Maturity Model Certification?

Enhanced Security Posture
Organizations that achieve CMMC compliance strengthen their cybersecurity by implementing best practices for protecting Controlled Unclassified Information (CUI). This reduces the risk of data breaches, cyberattacks, and other security threats. Organizations also benefit from improved technical capabilities by establishing a comprehensive set of cybersecurity requirements applicable to defense contractors.

Eligibility for DoD Contracts
CMMC is mandatory for companies working with the Department of Defense (DoD). Achieving compliance ensures your business remains eligible to bid on and secure valuable defense contracts, opening doors to lucrative opportunities in the defense sector. With CMMC certification, a company can also pursue government contracts that deal with privileged information.

Competitive Advantage
Being CMMC-compliant can serve as a differentiator, signaling to potential clients and partners that your organization prioritizes cybersecurity. This is increasingly important in industries where security is a top concern.

Risk Mitigation
By adhering to CMMC standards, organizations can proactively address vulnerabilities and protect sensitive information. This reduces the likelihood of costly data breaches, financial losses, and reputational damage.

Streamlined Compliance with Other Regulations
CMMC integrates well with existing cybersecurity standards, such as NIST SP 800-171. Compliance with CMMC can simplify meeting other regulatory requirements, making it easier to manage overall cybersecurity efforts.

Increased Trust and Confidence
CMMC compliance builds trust with customers, suppliers, and government agencies. It demonstrates your organization’s commitment to safeguarding sensitive data and maintaining a strong cybersecurity framework, which can enhance your reputation.

Improved Organizational Processes
Becoming CMMC-compliant often involves adopting more efficient security policies and procedures. These improvements can lead to better internal controls, higher operational efficiency, and a culture that values security.

How to Achieve CMMC Compliance Requirements

Note: As CMMC 2.0 is in active development, the information contained in this section is subject to change.

For more information on the CMMC assessment process, see this pre-decisional draft from CMMC-AB.

Step 1: Determine Your Required CMMC level

Familiarize yourself with the CMMC framework. Determine which level applies to your organization based on the type of information you handle and the requirements of your contracts. For most organizations, this will be either Level 1 or Level 2.

Step 2:  Perform a Gap Analysis

Conduct a self-assessment to determine your current cybersecurity posture against the CMMC requirements. With this analysis you’ll be better equipped to identify areas where your practices and controls need improvement. You can use these CMMC 2.0 compliance checklists from SecureFrame as a reference.

During this process you should consider creating a System Security Plan (SSP) that outlines all hardware, software, relevant personnel, etc. The SSP describes the security requirements of each system and the controls that have been put in place; it also defines individuals’ roles in planning and operating the system, and auditing its performance.

Due to the complexity and time involved in evaluating controls against the CMMC model, you may want to find a managed service provider with a background in the CMMC program.

For general tips on self-assessing your cybersecurity posture, see our article on Tips for Passing Your Next Cybersecurity Audit.

Step 3: Implement Controls and Develop a Plan of Action & Milestones for Unmet Controls

Create a plan to address gaps identified in the gap analysis. This plan should outline the necessary changes, resources needed, and timeline for implementation.

Organizations required to achieve CMMC levels 2 and 3 will be permitted to have POA&Ms (Plans of Action & Milestones) in place for NIST SP 800-171 security controls not yet met at the time of their assessment. POA&Ms indicate how and when unmet controls will be met. POA&Ms will not be permitted for organizations required to achieve CMMC Level 1.

If POA&Ms are needed, organizations can receive a “CMMC Level 2 Conditional Certification” following their initial C3PAO assessment only if at least 80% of all CMMC Level 2 controls are met, and all controls that are not met upon initial assessment are permitted to be met via POA&Ms. 

Organizations given CMMC Level 2 Conditional Certification are responsible for ensuring that all deficiencies listed in their POA&M are corrected within 180 days of their Final Findings briefing with their C3PAO. If an organization has remaining deficiencies after 180 days, its Level 2 Conditional Certification will be revoked.

For more information on POA&Ms, see this guide from Homeland Security.

Step 4: Document Policies and Procedures

Documenting policies and procedures is a critical component of achieving CMMC compliance. It involves creating comprehensive, detailed documents outlining your organization’s cybersecurity practices and controls.

Start by developing a clear set of cybersecurity policies that define the rules and guidelines for managing and protecting sensitive information. These policies should address various aspects of your cybersecurity strategy, such as data protection, access controls, incident response, and acceptable use of technology.

Each policy should be tailored to meet the specific requirements of the CMMC level you are pursuing. For example, policies at Level 2 might need to include specific guidelines for multi-factor authentication and regular patch management.

Step 5: Conduct Training and Awareness

Any cybersecurity strategy must ensure all users understand their roles and responsibilities in maintaining cybersecurity—CMMC is no different. This training and awareness must include cybersecurity training for employees to ensure they know the risks and responsibilities of their role in the organization.

Step 6: Engage a CMMC Third-Party Assessment Organization (C3PAO)

An assessment by a C3PAO verifies that your systems can protect sensitive information like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

While self-assessments will suffice to meet CMMC Level 1 requirements (and sometimes level 2), anyone seeking compliance with Level 2 or Level 3 must be audited by a C3PAO before they can be awarded contracts.

C3PAOs are independent organizations accredited by the CMMC Accreditation Body (CMMC-AB) to conduct formal assessments of your cybersecurity practices and determine whether they meet the requirements for your desired level of CMMC certification. For the best results, ensure your organization has performed thorough internal audits before engaging a C3PAO.

Before the assessment, you will gather all necessary evidence that demonstrates adherence to CMMC compliance requirements, such as records of security practices, training logs, and incident response reports. 

During the assessment, the C3PAO will conduct a comprehensive review of your organization’s cybersecurity practices. They will evaluate your policies, procedures, and controls against the CMMC requirements. This process typically involves interviews with key personnel, examination of documentation, and observation of practices. It’s crucial to facilitate the assessment by being transparent and cooperative. Provide the assessors with the information and access they need to perform their evaluation effectively.

Note: The Department of Defense intends for Level 3 cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.

Step 7: Address Findings From the C3PAO’s Assessment

Once the assessment is complete, the C3PAO will provide a detailed report outlining their findings, including any areas where your organization did not meet the required standards. Once you implement the necessary changes and improvements based on the feedback from the C3PAO and your POA&M, you can re-engage with them to verify that your revisions are adequate.

Step 8: Ongoing Maintenance & Improvement

CMMC compliance is not a one-and-done deal; it requires ongoing monitoring and adjustments of your security practices to ensure your organization remains compliant. In addition, once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required annually. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs will be required on a triennial basis.

Example of ongoing maintenance and improvement:

• Ongoing employee training and awareness to ensure staff continue to follow cybersecurity best practices and security policies
• Continuous monitoring of network activity for indicators of compromise or non-compliance
• An annual self-assessment and regular internal audits to ensure controls remain adequate for their intended purpose

The Cost of CMMC Compliance

The costs and procedural requirements associated with implementing CMMC have been a significant concern for defense contractors and trade associations. CMMC compliance costs can vary significantly based on the organization’s size, the CMMC maturity level required, and the existing state of the company’s cybersecurity practices. 

Major cost factors include:

• Gap assessment and consulting
• Technology upgrades
• Training and personnel
• Third-party audits
• Ongoing compliance and monitoring
• CMMC level requirements
• Size and complexity of the organization
• CMMC certification renewal costs

For a rough estimate, DefenseScoop shared these figures based on DoD projections. These estimates do not include the cost of implementing the security requirements themselves. For full details of the factors considered, check out the original article.

• Level 1 Costs: For Level 1, the Pentagon estimates the cost to support a self-assessment and affirmation would be nearly $6,000 for a small entity and about $4,000 for a larger entity. 
• Level 2 Costs: A Level 2 self-assessment and related affirmations are estimated to cost over $37,000 for small entities and nearly $49,000 for larger entities. This cost jumps to nearly $105,000 for small entities and approximately $118,000 for larger entities when factoring in the costs of becoming assessed by a third party.
• Level 3 Costs: For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000. For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000

CMMC compliance is a substantial investment, particularly for organizations at higher certification levels. However, the cost should be seen as a strategic investment in securing DoD contracts, protecting sensitive information, and safeguarding against potential cybersecurity threats, which can lead to far more costly breaches or contract losses if left unaddressed. Proper planning, resource allocation, and regular monitoring will help ensure compliance while managing costs effectively.

Frequently Asked Questions About CMMC Compliance

These are the most frequently asked questions about CMMC compliance. For more FAQs, see this CMMC FAQ from the CIO of the US Department of Defense.

What Types of Information Does CMMC Protect?

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information.

Federal Contract Information (FCI)

Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (CUI)

Sensitive information that does not meet the criteria for classification but must still be protected.  It is Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.  

What Is The Difference Between NIST 800-171 And CMMC Compliance?

The security controls in CMMC are taken directly from the NIST 800-171/172 frameworks. The key difference between CMMC and NIST 800-171 is that CMMC requires certification from an independent third-party assessment organization (C3PAO) to verify that the organization has met the required level of cybersecurity controls, whereas NIST 800-171 relies entirely on independent assessments. 

NIST 800-171: Focuses specifically on protecting CUI in non-federal systems, with 14 families of controls (such as access control, incident response, and system and information integrity) that organizations must follow.

CMMC: CMMC is broader in scope. While Level 2 of CMMC aligns closely with NIST 800-171, CMMC includes additional practices and processes, especially at higher maturity levels, to address a wider range of cybersecurity threats. CMMC Level 3, for instance, introduces practices from other NIST frameworks like 800-172, designed for advanced persistent threats (APT).

If I’m NIST 800-171 Compliant, Do I Automatically Achieve Compliance with CMMC?

No, being NIST 800-171 compliant does not automatically make you CMMC compliant, but it does put you on the right path. 

NIST 800-171 compliance closely aligns with CMMC Level 2, which is primarily focused on protecting CUI. CMMC Level 2 requires organizations to implement the 110 security controls from NIST 800-171, so if you’re already compliant with NIST 800-171, you’ve covered a significant portion of CMMC Level 2 requirements.

While CMMC Level 2 includes NIST 800-171 controls, CMMC also introduces additional security practices and maturity processes, particularly at higher levels of certification (e.g., Level 3). Depending on the maturity level you need, being NIST 800-171 compliant won’t cover everything, especially if you’re aiming for CMMC Level 3 (Expert), which includes additional practices from NIST SP 800-172.

Depending on the specific CMMC level your organization needs to achieve, your existing NIST 800-171 compliance may or may not cover all of the required security controls. For instance, CMMC Level 1 focuses on basic cyber hygiene and is less stringent than NIST 800-171, while CMMC Level 3 includes controls that go beyond NIST 800-171.

“Compliance with NIST standards are levied as contractual requirements via inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. The relationship between CMMC and the NIST standards is that CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. The FAR clause states the basic safeguarding requirements for CMMC Level 1 compliance. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.” – DoD CIO

What Is The Deadline For CMMC Certification?

The deadline for CMMC compliance is currently tied to the phased implementation of CMMC 2.0, but exact dates may vary depending on contract requirements and the Department of Defense (DoD) rollout schedule. 

On June 27, 2024, after adjudicating nearly 2,000 comments, following a 60-day open-comment period, the DoD submitted a draft of the CMMC 2.0 Final Rule (32 CFR) to the Office of Information and Regulatory Affairs (OIRA) at the White House.

The 32 CFR CMMC Final Rule is estimated to be published no later than October 26, 2024, after OIRA’s review of up to 120 days, and will come into effect approximately 60 days later, in late Q3 or early Q4 2024.

Who Needs CMMC Compliance? Is CMMC Compliance Mandatory?

The CMMC is required for any company or contractor working with the U.S. Department of Defense (DoD) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 

This includes:

1. DoD Contractors and Subcontractors: All organizations involved in the defense supply chain, including those in manufacturing, research, and development.
2. Suppliers: Any vendor or supplier providing goods or services to the DoD must adhere to CMMC if they handle sensitive information.
3. Small Businesses: Even smaller entities or subcontractors working on DoD projects need compliance if they come into contact with FCI or CUI.
4. Cloud Service Providers (CSPs): If a CSP stores or processes data for a DoD contractor, it must comply with CMMC regulations.

CMMC establishes assessment mechanisms to verify compliance with DoD cybersecurity requirements, and is on track to appear in defense contracts by late 2024 or early 2025. Even today, if your organization handles CUI, you have a DFARS 252.204-7012 clause in your contract that requires you to comply with NIST SP 800-171. CMMC Level 2 security controls will mirror these same NIST SP 800-171 controls.

While CMMC compliance is not mandatory for every organization, anyone wishing to bid on DoD contracts involving FCI or CUI must meet the CMMC level associated with their contract. Before a contract is awarded, you must obtain the necessary CMMC certification from a third-party assessor, if required by the specified level.

What Level Of CMMC Compliance Do I Need To Achieve?

Once CMMC 2.0 is implemented, the DoD will specify the required CMMC level in the solicitation.

For the vast majority of contracts, CMMC level 1 or 2 will suffice. The proposed rule states that level 3 standards are expected to apply only to a “small subset” of defense contractors and subcontractors.

During the contract bidding process you will be informed of the CMMC compliance level your organization must achieve prior to being awarded the contract. The Request for Proposal (RFP) or other solicitation documents for a DoD contract will specify the required CMMC level as  part of the contract’s cybersecurity requirements.

The DoD estimates that the approximately 220,000 organizations in the Defense Industrial Base will break down into the CMMC levels as follows:

• Level 3: 1,500 organizations
• Level 2: 80,000 organizations
• Level 1: 140,000 organizations

For general guidance, organizations that handle just FCI should only need to achieve Level I. Any organization that handles CUI will need to achieve at least Level 2. CMMC Level 3 is for defense contractors and university researchers who work with CUI and are subject to Advanced Persistent Threats (APTs).

When Is CMMC 2.0 Compliance Required?

Compliance with CMMC 2.0 will not be a contractual requirement until the DoD completes rulemaking to implement the program. CMMC 2.0 will become a contract requirement once rulemaking is completed.

A phased implementation of CMMC 2.0 is expected to begin in Q1 2025 with CMMC in all DoD contractor and subcontractor contracts by 2028. In preparation for the final CMMC rule being published and going into effect Q1 2025, some DoD contractors are now requiring their subcontractors to demonstrate compliance.

How Long Does CMMC Compliance Take To Achieve?

The time it takes to achieve CMMC compliance can vary significantly based on several factors, including your organization’s current cybersecurity posture, the level of CMMC compliance required, and the resources available. 

As a rough guide:

• A few weeks to a few months for Initial Assessment and Planning
• Several months to over a year for Implementation and Remediation
• A few weeks for an optional pre-assessment
• A few weeks to a few months for the certification assessment
• Several weeks to several months for any required remediation
• Continuous effort for ongoing compliance and maintenance

Small to Medium Organizations: Typically, achieving compliance might take around 6 to 12 months, assuming some existing cybersecurity practices are in place.

Large or Complex Organizations: For larger or more complex organizations, the process could take 12 to 18 months or more, depending on the current state of cybersecurity practices and the level of compliance required.

Due to the length of time it takes to become CMMC compliant, it’s strongly recommended that organizations start the process early so they are prepared to bid on contracts.

What Is A C3PAO?

A Certified Third-Party Assessment Organization (C3PAO) is an organization that has been accredited by the CMMC Accreditation Body (CMMC-AB) to perform formal assessments and evaluations of organizations seeking CMMC certification.

Role and Responsibilities of a Certified Third-Party Assessor:

1. Conduct Assessments: C3PAOs are responsible for conducting assessments to evaluate an organization’s compliance with the CMMC requirements. This involves a thorough review of the organization’s cybersecurity practices, controls, and documentation.
2. Provide Certification: After completing the assessment, C3PAOs provide a certification recommendation based on their findings. This recommendation is submitted to the CMMC-AB, which makes the final decision regarding certification.
3. Ensure Objectivity: C3PAOs must maintain impartiality and objectivity during the assessment process to ensure that the evaluation is fair and unbiased.
4. Follow Standards: They adhere to established standards and procedures set by the CMMC-AB to ensure consistency and reliability in the assessment process.

You can find a C3PAO using this listing from Cyber AB, the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the U.S. Department of Defense in implementing and overseeing the CMMC conformance regime.

CMMC Compliance Resources

• CurrentWare’s Security Controls for CMMC Compliance
• A Guide to Achieving CMMC Compliance | PreVeil
• Cybersecurity Maturity Model Certification Guidance Documents | Department of Defense
• CMMC Documentation | CIO, US Department of Defense