Kiteworks | Your Private Content Network

Secure File Sharing and Governance Platfform

Free Trial Get A Demo
Home > Security and Compliance Blog > CMMC Compliance > Answering the most common CMMC compliance questions
Answering the most common CMMC compliance questions

Answering the most common CMMC compliance questions

by Danielle Barbour updated May 1, 2024 CMMC Compliance
Reading Time: 4 minutes

Global organisations that have contracts with the US Department of Defence (DoD) are currently facing a critical challenge – ensuring a state of compliance that will soon be enforced as mandatory, for their organisation and throughout the entire supply chain.

With some of the highest levels of CMMC compliance involving more than 110 unique processes and practices, this is no simple task. However, it’s one that’s highly important, enforcing organisations to demonstrate that they can confidently, and reliable, handle sensitive information.

Below, we’re exploring some of the most frequently asked questions surrounding CMMC 2.0 compliance, giving you the answers needed to ensure that your compliance journey is as smooth and successful as possible.

At a glance, these questions are:

  • What is CMMC compliance?
  • Who needs CMMC compliance?
  • Is anyone exempt from CMMC compliance?
  • Who certifies CMMC compliance?
  • When do I need to be CMMC 2.0 compliant by?
  • What are the requirements for CMMC compliance?
  • Can my organisation achieve multiple levels of CMMC 2.0 compliance at the same time?
  • Is there any ongoing maintenance required after obtaining CMMC certification?

What is CMMC compliance?

The latest Cybersecurity Maturity Model Certification (CMMC 2.0) marks an update and improvement to the previous certification, with the overall aim to secure sensitive defence information. According to the U.S Department of Defence:

“The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs. against unwanted risks and cyber threats.”

Achieving CMMC compliance means that an organisation has implemented the necessary cybersecurity practices and controls outlined in the CMMC framework to protect sensitive government information. It demonstrates the organisation’s commitment to cybersecurity best practices and its ability to safeguard sensitive data from cyber threats.

Who needs CMMC compliance?

Any organisation within the US Department of Defence (DoD) supply chain needs to demonstrate its compliance with CMMC 2.0. That means that an estimated 300,000 organisations must ensure that they can secure sensitive government information.

Is anyone exempt from CMMC compliance?

While there are no blanket exemptions or exceptions to CMMC compliance for organisations within the DoD supply chain, the exact level of compliance may differ. There are three distinct levels of CMMC compliance, and the level of compliance that your organisation needs will depend on the type of information that you handle.

  • Level 1 (foundational) aims to protect basic federal information
  • Level 2 (advanced) aims to guard more sensitive data
  • Level 3 (expert) protects critical information against advanced threats

Who certifies CMMC compliance?

CMMC 2.0 compliance is certified through third-party assessments performed by Certified Third Party Assessor Organisations (C3PAOs). Getting certified can take as little as six months for level one, or as much as 12 months for levels two and three.

C3PAOs are authorised by the CMMC Accreditation Body (CMMC-AB). It’s their role to conduct assessments, issue certifications, and independently verify whether or not your organisation meets the compliance status.

When do I need to be CMMC 2.0 compliant by?

While the specific deadline for CMMC 2.0 compliance hasn’t been confirmed, the rollout of CMMC 2.0 is set to start in early 2025, gradually encompassing all DoD contracts by 2028.

To gear up for this, some DoD contractors are already asking their subcontractors to show compliance, as they await the finalised guidelines to rollout and take effect.

What are the requirements for CMMC compliance?

As discussed, there are three different levels of CMMC compliance, with each level bringing in additional requirements.

  • At level 1, organisations are expected to demonstrate that they can protect Federal Contract Information (FCI). As a result, this level only includes practices that meet 15 basic safeguarding requirements.
  • Level 2 practices are more advanced than level 1, with sophisticated cyber-hygiene practices protecting more sensitive information. At this level, there are 110 practices that organisations must adhere to, with a range of annual and tri-annual assessments.
  • Level 3 is designed to safeguard highly critical information against advanced persistent threats. This level is aimed at a select group of defence contractors with capabilities vital to national security interests. It is expected to integrate advanced cybersecurity practices and processes from NIST SP 800-172, although the specific requirements and assessment methodology are yet to be defined by the DoD

Can my organisation achieve multiple levels of CMMC 2.0 compliance at the same time?

Yes, organisations can achieve multiple levels of CMMC compliance simultaneously by implementing the necessary controls and processes for each.
However, bear in mind that doing this typically requires a phased approach. We recommend starting with the foundational practices and gradually progressing to the more advanced requirements.

Is there any ongoing maintenance required after obtaining CMMC certification?

Yes, maintaining CMMC compliance requires ongoing monitoring, maintenance, and continuous improvement of cybersecurity practices. What’s more, for each level, you can expect regular assessments to ensure complete compliance.

  • Level 1:
    Expect to complete an annual self-assessment.
  • Level 2:
    Here, assessments depend on whether the data involved is critical or non-critical to national security. If it’s critical, organisations need a higher-level third-party assessment every three years. If it’s not critical, they need to do a self-assessment each year.
  • Level 3:
    Due to the highly sensitive nature of the information at this level, assessments here will be government-led on a triannual basis. Read our roadmap for CMMC compliance today to learn more about these different levels.

Begin your CMMC compliance journey today

At Kiteworks, we’re here to support you on your CMMC 2.0 compliance journey.

Our FedRAMP-authorised Private Content Network provides the capabilities needed to fully secure file sharing, email, and more, all with built-in automated compliance features that are already helping organisations achieve 89% of level 2 compliance requirements out-of-the-box.

Request a demo today to learn how Kiteworks can support your CMMC compliance needs effectively. 

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

See Demo
Talk to a Rep

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

VOIR LA DÉMO
CONTACTER UN COMMERCIAL

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

DEMO ANSCHAUEN
MIT EINEM MITARBEITER SPRECHEN
Share
Tweet
Share
Get A Demo