The Cybersecurity Maturity Model Certification (CMMC) is both an assessment framework for US defense contractors and sub-contractors, and a certification program for organizations performing independent assessments. 

The purpose of the CMMC is to strengthen the cybersecurity position of the entire Defense Industrial Base (DIB), which is estimated to consist of about 300,000 companies. The goal is to better protect them and all the sensitive government, agency, and employee that they handle.  

Once the program is fully implemented, many Department of Defense (DoD) contractors will be required to achieve a specific CMMC level as a condition of contract award. In some cases, pass an independent assessment to verify the implementation of clear cybersecurity standards. 

WHY IS CMMC IMPORTANT? 

Cybersecurity across every landscape has undergone a change of seismic proportions since the dawn of the 21st century. The proliferation of digital technology across the entire DoD has significantly enlarged the attack surface, giving cybercriminals a lot more targets to attack.  

Cybercriminals themselves have transformed from curiosity-driven technology explorers into highly sophisticated and organized criminal groups, often affiliated with nation-states or terrorist organizations.  

Unless met with equally sophisticated defenses, these threat actors could disrupt physical systems and infrastructures that are linked to the internet, steal sensitive information that could put the US and its allies at risk, and cause huge economic and societal disruption.  

Previous attempts to address these risks, such as the criteria set out in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, were not effective enough because they relied on self-attestation.  

To turn the tide in the fight against cybercrime, the CMMC introduces assessments performed by third-party assessors as the only way to demonstrate compliance with the highest maturity level.  

A BRIEF HISTORY OF CMMC 

The first version of the CMMC was implemented in September 2020 with the publication of an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041).  

CMMC 1.0 included the three main features of the framework (tiered model, assessment requirements, and implementation through contractors), and it established a five-year phase-in period.  

The DoD started to review the initial version of the CMMC program in March 2021. After collecting more than 850 public comments, the DoD announced the CMMC 2.0 in November 2021.  

The new version focuses on the most critical cybersecurity requirements, is aligned with the National Institute of Standards and Technology (NIST) cybersecurity standards, and allows some companies to demonstrate compliance through self-assessments. 

CMMC REQUIREMENTS 

Not all DoD contractors handle equally sensitive information. Some store, process, and transmit only Federal Contract Information (FCI), but some also deal with Controlled Unclassified Information (CUI), which is required to meet additional safeguarding requirements. 

The CMMC reflects this with its tiered model, which consists of three compliance levels:  

 

Model

Information

Assessment

Level 3

134 requirements based on NIST SP 800-171 and 800-172

Controlled Unclassified Information (CUI)

Triennial assessments conducted by government officials.

Level 2

110 requirements aligned with NIST SP 800-171

Controlled Unclassified Information (CUI)

Triennial third-party assessments or self-assessments depending on whether information critical to national security is involved.

Level 1

15 requirements

Federal Contractor Information (FCI)

Annual self-assessments.

Under certain limited circumstances, contractors can apply for a CMMC waiver and make Plans of Action & Milestones (POA&Ms) to achieve certification.  

ACHIEVING CMMC COMPLIANCE 

Right now, a formal rulemaking process is underway, and it can take up to 24 months. Once rulemaking is completed, CMMC 2.0 will become a contract requirement, and compliance with one of the three maturity levels will be a necessary prerequisite for bidding on defense contracts. 

All companies who want to continue working for the DoD should start preparing for CMMC compliance right now because it can take some time to implement the necessary requirements and complete the self- or third-party assessment process.  

The penalties for non-compliance may include everything from the termination of contracts and restrictions from future government contracting to reputational damage and even criminal and civil litigation.  

At Help Desk Cavalry, we can help you achieve CMMC compliance painlessly and cost-effectively by assessing your existing cybersecurity posture, creating a detailed remediation plan, and resolving the identified gaps. Contact us to see what it takes to get you started down the path.