Skip to content

CMMC Explained: Understanding DoD’s Latest Cybersecurity Contracting Standard

CMMC: U.S. Government Contractors seeking to bid on defense contracts will soon need this certification.

Author: Jeff White, Chief Security Officer, CMMC-RP 

Driven by lapses in security across the DIB coupled with the growing threat of cyberattacksthe Department of Defense sought more stringent data protection requirements to safeguard U.S Government related Information.  

On January 31, 2020, the U.S. Pentagon in partnership with Carnegie Mellon, and John Hopkins, formed what is known today as the Cybersecurity Maturity Model. 

This model will require all DoD prime and subcontractors who access, store, and/or transmit Controlled Unclassified Information (to include Federal Contractual Information or FCI) to implement a specified level of cybersecurity maturity.  

The upcoming contract requirement also known as the DFARS 7021 (DFARS 252.204-7021) clause, adds a ‘trust but verify component’ to existing federal contract data protection identified under DFARS 252.204-7012, Safeguarding Covered Defense Information & Cyber Incident Reporting.   Prior to CMMC’s release, defense contractors were able to self-attest that the businesses were abiding by established contract security standard..    

We will briefly dive into the actual structure and requirements surrounding the updated CMMC 2.0.  

CMMC Model Breakdown

Since inception, the CMMC Program has undergone commentary period, allowing for DIB contractors, and cybersecurity leaders to provide constructive feedback.  The DoD and CMMC-AB’s (Accreditation Body) goal from these discussions were to eliminate confusion on the certification process, while easing the contractor burden of  implementation.      

As of 11/04/2021, the 2nd iteration of CMMC (known as ‘CMMC 2.0’) has been released.  CMMC latest and greatest 2.0, is comprised of three (3) cybersecurity maturity levels (down from 5 in ‘CMMC 1.0’); Level 1Level 2, and Level 3. 

Let’s take a closer look at the CMMC 2.0 levels and what requirements apply to each.   

  • Maturity Level 1, (previously considered ‘Basic’ in CMMC 1.0) also referred to as ‘Foundational’ applies to those organizations holding or accessing Only FCI (or Federal Contract Information).  Certification for CMMC Level 1 will require contractors to meet implementation of 17 Cybersecurity Practices, tailored towards basic information protection and cyber hygiene. Level 1 organizations will have to show that the 17 practices are routinely and uniformly applied across the business.   In addition to meeting these practice requirements, verification of Maturity Level 1 compliance will be performed through self-attestation.  Self-Attestation must by signed by senior level company official.  
  • Maturity Level 2, (previously considered ‘Good’ in CMMC 1.0) also referred to as ‘Advanced’ Cybersecurity, applies to those organizations accessing, transmitting or creating CUI (or Controlled Unclassified Information).  Certification for CMMC Level 2 will require contractors to meet implementation of all 110 Cybersecurity Practices, in alignment with NIST 800-171 Framework.  Like Level 1, organizations will have to show these designated practices are routinely and uniformly applied across the business.   To verify the implementation of Maturity Level 1 compliance, annual Self-Attestation will be required by a senior company official, with the exception of CUI information pertaining to ‘critical national security programs.  Compliance with national security level programs and accompanying CUI information, will necessitate a annual verification ‘assessment’ by a Certified 3rd Party Audit Organization (also known as C3PAO). 
  • Maturity Level 3, (previously considered ‘Advanced’ in CMMC 1.0) also referred to as ‘Expert’ applies a subset of more critical national security programs and accompanying ‘CUI’ Information.  The specific subset of programs however is still being designated by the DoD Acquisition & Sustainment.  Certification for CMMC Level 3 will require contractors to meet implementation of enhance 110+ Cybersecurity Practices, which includes all 110 controls in NIST 800-171 as well as a subset controls from NIST 800-172.  Level 3 organizations will have to verify that the 110+ practices are routinely and uniformly applied across the business, through a government led assessment.  The specific government auditing/assessment organization that will be tasked with Level 3 Assessments, has not been determined at this time.    

Now that we’ve discussed what the basic CMMC structure, let’s briefly touch on how organizations can best prepare for this upcoming contract requirement.  

CMMC Quick Tips: How to help prepare your organization for compliance readiness

“Your organizations DFARS-CMMC readiness will be dependent on you taking proactive action to determine your gaps, prioritize resource allocation to address those gaps and continually adjust to the moving target of cybersecurity compliance across the DoD contracting landscape.”

While the CMMC requirement is not expected to go into effect for all contracts until 2026, Organizations will benefit by proactively preparing.  While this list is not all-encompassing, here are some key steps for preparing your organization for the CMMC certification process.  

  • Review existing (if applicable) or upcoming contracts to identify security requirements/DFARS clauses 
  • Identify whether your business handles only FCI or more sensitive CUI (Controlled Unclassified Information.  As a reference, your contracting officer should be able to assist in determining this.   
  • Review NIST 800-171 controls in preparation for performing a security controls analysis  
  • Ensure there is an established Cybersecurity Training Program, to include initial and ongoing Cybersecurity Awareness and Education.  Continuous cyber training will empower and enable your personnel to identify threats and mitigate their business impact.  
  • Consider consulting with a CMMC Readiness Partner to perform a Readiness Gap Analysis, assist with drafting operational security policies, and to position your organization for continued business success.

*Stay tuned for updated change insights related to CMMC, as they become available.  

*For other tips and tricks in staying cyber-informed, please visit our additional Valor Insights.