CMMC is the Cybersecurity Maturity Model Certification. It’s a set of security standards from the U.S. Department of Defense (DoD) for handling controlled unclassified information (CUI) and federal contract information (FCI). CMMC is required for all contractors and subcontractors wanting to bid on new DoD contracts or renew existing contracts.

The DoD has for some time required security standards for contractors and subcontractors. For example, in 2018, they were required to meet NIST 800-171 standards; however, there was some ambiguity on what meeting those standards meant and how the DoD could measure accountability.

In January 2020, the government released CMMC 1.0 to create a common framework to make implementation and accountability less difficult. It was included in the Defense Federal Acquisition Regulation Supplement (DFARS) as a part of the contract awarding processes. CMMC 2.0 was announced in November of 2021, the latest version designed to streamline its requirements and be more accessible to small and medium-sized businesses.

To become CMMC certified, contractors are required to successfully complete an accredited third-party assessment or get an independent assessment from an accredited assessor for the minimum CMMC certification level needed for a DoD contract. This certification is also required of any subcontractors working on DoD contracts. Once certified, the certification remains valid for three years.

A DoD contractor or subcontractor going through a CMMC assessment certification process is referred to as an Organization Seeking Certification (OSC). If an organization doesn’t access CUI but accesses FCI, it should also be CMMC-certified.

Any organization not certified at the required CMMC level outlined in all requests for information (RFIs) and requests for proposals (RFPs) when the DoD awards a contract can be disqualified from participating in that contract.

The CMMC model outlines three levels of certification:

  • Level 1: Foundational: There are 17 practices that enable an annual self-assessment for certification. This is for organizations with FCI only.
  • Level 2: Advanced: There are 110 practices, which align with NIST SP 800-171. Triennial third-party assessments are required for prioritized acquisitions; however, self-assessments may be applicable for certain programs, such as non-prioritized acquisitions. This is for organizations with CUI.
  • Level 3: Expert: There are 110 practices at this level based on NIST SP 800-172. There are also triennial assessments for this level, but they are government-led assessments. This is for the highest priority programs with CUI.

Flexible Implementation

CMMC 2.0 also allows, under certain circumstances, companies to make Plans of Action & Milestones (POA&Ms) to achieve certification. These POA&Ms will be strictly time-bound, possibly for 180 days; however, they will not be allowed for the highest-weighted requirements. There will be a minimum score to support POA&M certification.

If your company works with DoD contracts or would like to begin doing so, contact CBM for a consultation on how you can implement the CMMC framework.