CMMC Compliance: a Guide for DoD Contractors

The CMMC provides a mechanism needed to verify that DoD contractors have implemented the CUI security requirements at each CMMC Level. Learn more about CMMC compliance.Last updated on Oct 23, 2024. In May 2023, the United States uncovered one of the most significant cyber-espionage efforts by a Chinese hacking group within the U.S. territory of Guam. This incident targeted crucial communication and transportation infrastructure, sparking fears that it could undermine or disrupt the Department of Defense's logistics system, potentially jeopardizing operations and leading to devastating loss of life and property. This incident demonstrated how critical controlled unclassified information (CUI) is for national security. Gaining access to confidential information held by Defense Industrial Base (DIB) companies, hackers can compromise the safety and security of the US Department of Defence (DoD) and the whole national defense sphere. The above case is not the only one in which loss, modification, and disclosure of sensitive federal information has led to undercutting US national security. To minimize cybersecurity risks within the DIB sector, DoD has developed a Cybersecurity Maturity Model Certification (CMMC) framework. The CMMC 2.0. Final Rule was published on October 15, 2024, and is expected to come into effect as early as December 15, 2024. From that time, the CMMC program will eventually require one of three levels of cybersecurity requirements for defense contracts, depending on the sensitivity of the information the contractors are handling. Though the scope of new requirements will vary across contracts, all DoD contractors should plan for heightened standards following the full rollout of CMMC and take steps toward compliance.

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is the security framework mandated by the DoD to evaluate and enhance the state of cybersecurity within the Defense Industrial Base (DIB) sector. The framework is intended to become a verification mechanism ensuring that DIB organizations possess appropriate cybersecurity practices and processes to protect data within their environments. Thus, CMMC regulates the implementation of cybersecurity across the DIB sector. Any organization that holds DoD contracts or acts as a subcontractor should prepare for obtaining CMMC certification. CMMC incorporates several practices and standards, but its key pillar is NIST SP 800-171. The other important references of the framework are NIST SP 800-53, National Aerospace Standard (NAS) 9933, and the Computer Emergency Response Team (CERT) Resilience Management Model (RMM). Based on these references, the framework measures an organization’s cybersecurity maturity and controls to ensure that all necessary processes and practices are in place. The initial implementation of the CMMC for all DoD contractors is mandated through Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021.

The Evolution of CMMC

Before developing CMMC, specific cybersecurity requirements within the DoD were identified by DFARS 252.204-7008 and 252.204.7012. The regulations required DoD contractors to adopt NIST’s necessary cybersecurity processes and standards (especially NIST SP 800-171) while not providing specific audit or certification requirements. The vague requirements resulted in the slow and unsatisfying adoption of DFARS (252.204-7008 and 252.204.7012) since most DoD contractors only managed to achieve a minimal level of cybersecurity hygiene practices. Thus, to strengthen the security of data in the DoD sphere, the DoD introduced an interim rule to the DFARS (DFARS Case 2019-D041), which set forth the initial framework for the CMMC program, known as "CMMC 1.0." This rule outlined the fundamental aspects of the framework, including the tiered model, mandatory assessments, and its implementation through contracts. The interim rule took effect on November 30, 2020, initiating a five-year phase-in period. In March 2021, the Department initiated an internal review of CMMC’s implementation, which was informed by more than 850 public comments in response to the interim DFARS rule. These comments were generally focused on reducing costs for small businesses, clarifying CMMC cybersecurity requirements, and increasing trust in the CMMC assessment ecosystem. CMMC 2.0 was designed to meet these goals, which also contribute to enhancing the cybersecurity of the defense industrial base. This assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. In November 2021, the DoD announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

• Safeguard sensitive information to enable and protect the warfighter
• Uphold cybersecurity standards for the DIB to counter emerging threats.
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Foster a culture of cybersecurity collaboration and resilience.
• Build public trust by adhering to professional and ethical standards.

What Data Does CMMC Protect?

CMMC aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within DIB companies’ networks. Federal Contract Information (FCI) is the information provided by or generated for the Government under a contract to develop or deliver a product/service to the Government, which is not intended for public release. FCI does not include information provided by the Government to the public or simple transactional information. The basic safeguarding requirements for FCI are specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. DoD contractors that process, store, or transmit FCI must comply with CMMC Level 1 practices. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and governmental policies. It involves information the Government creates or possesses or that an entity creates or possesses for or on behalf of the Government. There are many specific categories and subcategories of the CUI that the Executive branch protects. The CUI Registry provides a complete list of those. We, however, show only some of the organization index groupings such as:

• Critical Infrastructure
• Defense
• Export Control
• Financial
• Immigration
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• NATO
• Nuclear
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax

The basic safeguarding requirements for CUI are specified in NIST SP 800-171. Thus, DIB companies that work with information from one of these categories must safeguard this information at an appropriate CMMC level.

Who Needs the CMMC Certification?

The CMMC certification is obligatory for all DIB companies that work with CUI in cooperation with DoD. These companies are suppliers, small businesses, commercial item contractors that support the warfighter and contribute to the research, development, acquisition, production, delivery, and operations of DoD systems, services, and networks. Although CMMC certification is obligatory for all of these organizations, they might need different CMMC certification levels. When implementing CMMC, DoD contractors can achieve a specific CMMC level for their entire enterprise network or a particular segment, depending upon where the information to be protected is handled and stored. The level of the CMMC certificate depends on the type and nature of the information used by the contractor. For instance, if the DIB company holds CUI, it must be certified at a minimum of CMMC Level 3. If the organization does not possess, store, or transmit CUI but possesses FCI, obtaining CMMC Level 1 is often enough. Businesses that solely produce Commercial-Off-The-Shelf (COTS) products are not required to be certified.

What are the CMMC Levels?

The current CMMC 2.0 framework measures cybersecurity maturity at three levels - Foundational, Advanced, and Expert. Each of the CMMC levels is based on various considerations, including regulations, implementation complexity, type and sensitivity of the information, threats, costs, etc. Organizations can choose from these models to better assess and improve their cybersecurity posture. The required CMMC certification level is determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business. The CMMC framework also provides means for improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of the information to be protected. In general, each of the CMMC levels can be characterized by its primary focus:

CMMC 2.0. Level 1 (Foundational)

CMMC 2.0 Level 1 applies to DoD contractors and subcontractors that handle FCI to develop or deliver a product or service to the government. Under Level 1, organizations must implement 15 basic cybersecurity controls specified in FAR Clause 52.204-21. These controls include

• Access controls
• Identity and access management
• Media protection
• Audit logs
• Physical security
• System and communication protection
• Periodic and real-time scans of information systems.

Certification at this level does not require involvement from a certified third-party assessment provider (C3PAOs). It requires an annual self-assessment that has attestation from a corporate executive. Read our CMMC Level 1 Assessment Checklist to learn more.

CMMC 2.0 Level 2 (Advanced)

CMMC Advanced level applies to current and potential DoD contractors and subcontractors that handle Controlled unclassified information (CUI), Controlled technical information (CTI), and ITAR or export-controlled data. To achieve Level 2, organizations must implement all 110 security controls listed in NIST SP 800-171, which include:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment and Monitoring
• System and Communication Protection
• System and Information Integrity
• Planning*
• System and Service Acquisition*
• Supply Chain Risk Management*

Certification at the Advanced level requires contractors to undergo C3PAO assessments every three years. There is also an option for self-assessment depending on DoD approval for select programs. Our CMMC Level 2 Certification Checklist will tell you more about the Advanced level compliance.

CMMC 2.0. Level 3 (Expert)

CMMC 2.0 Level 3 is reserved for cases where significant security threats, including advanced persistent threats (APTs), must be considered. The Expert level of CMMC compliance sees contractors implementing all 110 controls of NIST SP 800-171 and specific controls in NIST SP 800-172 for triannual C3PAO assessments. The enhanced security controls outlined by NIST SP 800-172 add another level of protection for CUI associated with critical government programs or high-value federal assets.

What is the CMMC Assessment and Certification Process?

The CMMC 2.0 program simplifies the cybersecurity assessment process yet increases accountability for each of the assessment steps. It implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0:

• Level 1 and partially Level 2 contractors that do not handle information deemed critical to national security will be required to perform annual self-assessments.
• Contractors managing critical information must undergo CMMC Level 2 third-party assessments.
• Level 3 contractors applying for the most critical defense programs ( will require government-led assessments.

CMMC 2.0. Self-Assessment

Contractors holding Level 1 and a subset of Level 2 programs will be required to conduct an annual self-assessment. A senior company official will be responsible for an affirmation that the company is meeting requirements. The DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

CMMC 2.0. Third-Party Assessment

Contractors that handle sensitive national security information need to undergo a third-party CMMC Level 2 assessment. The third-party assessment will be performed by CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). One can find the list of accredited C3PAOs on the Cyber AB Marketplace. Contractors are fully responsible for obtaining the needed assessment and certification, including coordinating and planning the CMMC assessment. After the CMMC assessment is completed, the C3PAO will upload the assessment report into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will then be accessible to the Department of Defense (DoD).

CMMC 2.0. Government Assessments

The Department intends for Level 3 cybersecurity requirements to be assessed by government officials. The assessment requirements are currently under development. In-house preparation for CMMC assessments is possible for DoD contractors who have the necessary IT staff and resources. Those who do not have enough capabilities to address the requirements of NIST SP 800-171 Rev. 2 or SP 800-172 are encouraged to outsource their compliance initiative to qualified security service providers such as Planet 9.

What are the CMMC Compliance Timelines?

The Final Rule maintains a phased rollout, allowing a one-year transition period for the implementation of each phase: Phase 1 begins in early 2025 after the CMMC Final Rule takes effect and will last one year. During this phase, all relevant DoD contracts will require CMMC Status Level 1 or Level 2 self-assessments as a condition for contract awards. These self-assessed statuses will then act as prerequisites for CMMC Level 2 third-party assessments (performed by C3PAO). Phase 2 is expected to be launched one year after the start of Phase 1, approximately at the beginning of 2026. In Phase 2, the DoD plans to require CMMC Status Level 1 and Level 2 self-assessments, as well as Level 2 C3PAO, as conditions for contract awards. Contracting officers will have the flexibility to postpone the Level 2 (C3PAO) requirement to an option period instead of enforcing it at the award stage. They may also decide to require CMMC Status Level 3 assessments (performed by the DCMA DIBCAC) in relevant DoD solicitations and contracts. Phase 3 will also last for one year. In Phase 1 all DOD contracts will include requirements fpr CMMC Status Level 1 and Level 2 self-assessments, Level 2 C3PAO, and Level 3 (DIBCAC) in all applicable DOD contracts as a condition of award. Contracting officers may choose to defer the requirement for CMMC Status Level 3 (DIBCAC) until an option period instead of making it an initial award condition. Phase 4. Three years after the CMMC Acquisition rule takes effect, CMMC 2.0 will be fully implemented (approximately the start of 2028). Now that the Final Rule is published, contractors should not wait until the last moment before preparing for the coming changes but start looking ahead and working towards meeting CMMC requirements. The phased implementation for CMMC 2.0 begins soon. So, all DoD contractors and subcontractors must already know which of the CMMC levels - Level 1, 2, or 3 - apply to their organizations. Furthermore, self-assessments and third-party risk assessments by C3PAOs must be initiated shortly if they are not already underway.

How Much Will it Cost to Implement CMMC 2.0.

The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. It’s important to note that costs for implementing cybersecurity controls arise from the need to comply with contractual requirements for safeguarding information. These are not considered costs specifically for implementing CMMC. In general, the CMMC assessment costs will depend on the CMMC level, the complexity of the unclassified network for the certification boundary, and market forces. Although a detailed cost analysis for CMMC certification has yet to be provided, CMMC 2.0 assessment costs are expected to be lower than CMMC 1.0. And there are several reasons for this:

• streamlining CMMC requirements at all levels by removing CMMC-specific practices and maturity processes;
• permitting self-assessments for Level 1 and some Level 2 programs;
• increasing oversight of the third-party assessment system.

Boost Your CMMC Compliance with Planet 9

With the broad scope of practice controls under CMMC 2.0, DoD contractors and subcontractors may seek guidance from CMMC specialists. Planet 9 can support your CMMC compliance efforts with the following services:

• Scope your environment to determine the boundaries where Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is stored, processed, and exchanged;
• Determine your CMMC Level and understand the applicable CMMC requirements;
• Conduct readiness assessment;
• Identify and address gaps in your CMMC 2.0. compliance status to understand what you need to improve to meet certification standards for the applicable CMMC level;
• Conduct self-assessment and create a System Security Plan (SSP);
• Prepare for a third-party CMMC Conformity assessment.

Book a free consultation to learn more, or contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!