Answering the most common CMMC compliance questions
Global organisations that have contracts with the US Department of Defence (DoD) are currently facing a critical challenge – ensuring a state of compliance that will soon be enforced as mandatory, for their organisation and throughout the entire supply chain.
With some of the highest levels of CMMC compliance involving more than 110 unique processes and practices, this is no simple task. However, it’s one that’s highly important, enforcing organisations to demonstrate that they can confidently, and reliably, handle sensitive information like controlled unclassified information (CUI) and federal contract information (FCI).
Below, we’re exploring some of the most frequently asked questions surrounding CMMC compliance, giving you the answers needed to ensure that your compliance journey is as smooth and successful as possible.
These questions include:
- What is CMMC compliance?
- Who needs CMMC compliance?
- Is anyone exempt from CMMC compliance?
- Who certifies CMMC compliance?
- When do I need to be CMMC 2.0 compliant by?
- What are the requirements for CMMC compliance?
- Can my organisation achieve multiple levels of CMMC 2.0 compliance at the same time?
- Is there any ongoing maintenance required after obtaining CMMC certification?
What is CMMC?
CMMC, or Cybersecurity Maturity Model Certification, is a vital framework implemented by the US Department of Defence to ensure robust cybersecurity practices among contractors handling Federal Contract Information and Controlled Unclassified Information. The latest iteration, CMMC 2.0, streamlines and elevates security requirements, aligning with standards like NIST 800-171 and NIST 800-172, to safeguard sensitive data effectively. Achieving CMMC compliance involves undergoing assessments by Certified Third Party Assessor Organisations, a process overseen by the CMMC Accreditation Body. This compliance not only fortifies a contractor’s cybersecurity posture but also solidifies eligibility for defense contracts, akin to other federal frameworks such as FedRAMP.
What is CMMC 2.0?
CMMC 2.0 represents the latest evolution of the Cybersecurity Maturity Model Certification framework set by the US Department of Defense to secure Federal Contract Information and Controlled Unclassified Information.
This updated version streamlines the compliance process by aligning closely with NIST SP 800-171 and integrating advanced security protocols from NIST SP 800-172 for higher-level compliance. By engaging Certified Third Party Assessor Organizations accredited by the CMMC Accreditation Body, companies can ensure they meet these stringent requirements, safeguarding sensitive data and enhancing eligibility for federal contracts.
CMMC 2.0 aims to fortify the defense supply chain while maintaining a balance between robust security measures and manageable compliance obligations, much like the FedRAMP framework does for cloud service providers. Understanding and adhering to these standards is crucial for businesses striving to succeed in the competitive defense sector.
What is CMMC compliance?
The latest Cybersecurity Maturity Model Certification (CMMC 2.0) marks an update and improvement to the previous certification, with the overall aim to secure sensitive defence information. According to the U.S Department of Defence:
“The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs. against unwanted risks and cyber threats.”
Achieving CMMC compliance means that an organisation has implemented the necessary cybersecurity practices and controls outlined in the CMMC framework to protect sensitive government information. It demonstrates the organisation’s commitment to cybersecurity best practices and its ability to safeguard sensitive data from cyber threats.
Who needs CMMC compliance?
Any organisation within the US Department of Defence (DoD) supply chain needs to demonstrate its compliance with CMMC 2.0. That means that an estimated 300,000 organisations must ensure that they can secure sensitive government information.
Is anyone exempt from CMMC compliance?
While there are no blanket exemptions or exceptions to CMMC compliance for organisations within the DoD supply chain, the exact level of compliance may differ. There are three distinct levels of CMMC compliance, and the level of compliance that your organisation needs will depend on the type of information that you handle.
- CMMC Level 1 (foundational) aims to protect basic federal information
- CMMC Level 2 (advanced) aims to guard more sensitive data
- CMMC Level 3 (expert) protects critical information against advanced threats
Why is CMMC necessary?
The Cybersecurity Maturity Model Certification (CMMC) is crucial for ensuring the security and integrity of sensitive information managed by contractors working with the US Department of Defense. The need for CMMC arises from the increasing threats to Federal Contract Information and Controlled Unclassified Information, which require stringent safeguards. CMMC 2.0 addresses this by implementing a streamlined approach that emphasizes cybersecurity standards in alignment with NIST SP 800-172. This framework ensures that only Certified Third Party Assessor Organizations, endorsed by the CMMC Accreditation Body, evaluate and validate compliance. The introduction of CMMC is indispensable for defense contractors, as it not only enhances security protocols but also aligns with federal initiatives like FedRAMP, ensuring contractors maintain eligibility for defense contracts while protecting national security assets.
Who certifies CMMC compliance?
CMMC 2.0 compliance is certified through third-party assessments performed by Certified Third Party Assessor Organisations (C3PAOs). Getting certified can take as little as six months for level one, or as much as 12 months for levels two and three.
C3PAOs are authorised by the CMMC Accreditation Body (CMMC AB). It’s their role to conduct assessments, issue certifications, and independently verify whether or not your organisation meets the compliance status.
When do I need to be CMMC 2.0 compliant by?
Currently, defense contractors and subcontractors must adhere to specific requirements when handling FCI and CUI. For contracts involving FCI, contractors must comply with Federal Acquisition Regulation (FAR) clause 52.204-21, which mandates 15 basic safeguarding measures. These measures form the minimum security baseline for any entity receiving FCI from the U.S. Government.
When dealing with CUI, the requirements become more stringent. DFARS clause 252.204-7012 requires contractors to implement 110 security requirements specified in NIST SP 800-171. This comprehensive set of requirements aims to provide adequate security on all covered contractor information systems. With Final Rule 32 CFR Part 170 published to the Fedral Register on October 15, 2024, phased implementation is starting in Q1 2025 and the time for DoD contractors and subcontractors to start is now.
What are the CMMC 2.0 certification levels and compliance requirements?
The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to enhance the protection of sensitive unclassified information across the Defense Industrial Base. It consists of three levels of compliance, each with increasing requirements:
- CMMC Level 1 (Foundational): CMMC Level 1 focuses on basic safeguarding requirements necessary to protect Federal Contract Information (FCI). It includes 17 practices aligned with Federal Acquisition Regulation (FAR) 52.204-21. Key requirements involve basic cybersecurity hygiene, such as implementing access controls, safeguarding media, and ensuring personnel security.
- CMMC Level 2 (Advanced): CMMC Level 2 serves as a transitional step from Level 1 to Level 3 and includes 110 practices aligned with the National Institute of Standards and Technology (NIST) SP 800-171. It focuses on protecting Controlled Unclassified Information (CUI). Organizations must demonstrate the implementation of an array of cybersecurity practices and document policies and procedures. It introduces intermediate measures, like configuration management and incident response, to enhance data protection capabilities.
- CMMC Level 3 (Expert): CMMC Level 3 encompasses 110 practices from NIST SP 800-171 and additional enhanced security measures. It is designed for organizations handling the most sensitive types of CUI. Level 3 emphasizes proactive and advanced cyber defenses, including detection and response capabilities, and ongoing monitoring. It requires a mature institutionalized approach to cybersecurity, involving formalized processes and continuous improvement initiatives.
What are the requirements for CMMC compliance?
As discussed, there are three different levels of CMMC compliance, with each level bringing in additional requirements.
- At CMMC Level 1, organisations are expected to demonstrate that they can protect Federal Contract Information (FCI). As a result, this level only includes practices that meet 15 basic safeguarding requirements.
- CMMC Level 2 practices are more advanced than level 1, with sophisticated cyber-hygiene practices protecting more sensitive information. At this level, there are 110 practices that organisations must adhere to, with a range of annual and tri-annual assessments.
- CMMC Level 3 is designed to safeguard highly critical information against advanced persistent threats. This level is aimed at a select group of defence contractors with capabilities vital to national security interests. Level 3 will contain all 110 requirements from Level 2, plus an additional 24 requirements from NIST SP 800-172, which is designed for protecting CUI against advanced persistent threats (APTs). Level 3 is anticipated to represent a smaller, more focused group of defense contractors that possess capabilities critical to national security interests. The specific requirements and assessment methodology for this level have been defined by the DoD in the Level 3 Guide and within Final Rule 32 CFR.
Is there any ongoing maintenance required after obtaining CMMC certification?
Yes, maintaining CMMC compliance requires ongoing monitoring, maintenance, and continuous improvement of cybersecurity practices. What’s more, for each level, you can expect regular assessments to ensure complete compliance.
- CMMC Level 1:
Expect to complete an annual self-assessment. - CMMC Level 2:
Here, assessments depend on whether the data involved is critical or non-critical to national security. If it’s critical, organisations need a higher-level third-party assessment every three years. If it’s not critical, they need to do a self-assessment each year. - CMMC Level 3:
Due to the highly sensitive nature of the information at this level, assessments here will be government-led on a triannual basis. Read our roadmap for CMMC compliance today to learn more about these different levels.
Begin your CMMC compliance journey today with Kiteworks
At Kiteworks, we’re here to support you on your CMMC 2.0 compliance journey.
The Kiteworks Private Content Network is nearly 90% of CMMC Level 2 requirements out of the box.
Request a demo today to learn how Kiteworks can support your CMMC compliance needs effectively.
Additional Resources
- Webinar What Optiv and Kiteworks Recommend for DoD Contractors and Subcontractors for CMMC 2.0
- Guide A Detailed CMMC 2.0 Guide for DoD Contractors and Subcontractors
- Video What Kiteworks CISO Frank Balonis Thinks About CMMC 2.0
- Article What Is Cybersecurity Maturity Model Certification?
- Blog Post What Is CMMC Security Compliance?