The CMMC, or Cybersecurity Maturity Model Certification, was established by the US Department of Defense (DoD) in 2019. This allowed them to transition from a process that only included self-attestation of an organization’s basic cyber security landscape to offer a more structured certification process when needed. 

Required of any organization that plans to contract any work with the DoD, CMMC aims to protect controlled unclassified information (CUI) that resides on contractor or subcontractor systems or on the networks of suppliers.

What is CUI?

According to the Defense Counterintelligence and Security Agency, controlled unclassified information is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.”

They go on to clarify that CUI is not classified information or corporate intellectual property, “unless created for or included in requirements related to a government contract.”

Why is protecting CUI important?

Protecting CUI is important because a breach can lead to a threat to national security. Since there are, by nature, fewer controls for unclassified information than there are for classified information, bad actors see CUI as an easier target, which is why it’s so important to protect it diligently and responsibly.

Who must comply with the CMMC?

As we mentioned in the introduction, any organization that plans to contract any work with the DoD will eventually need the CMMC (more on that timeline later). This means any individual or company in the DOD supply chain will be required to comply, including all prime contractors, any and all subcontractors, as well as any suppliers.

It’s estimated that once in full effect, CMMC will affect over 300,000 organizations. But even if your company doesn’t plan to work with the government or DoD, the basic principles of CMMC compliance are essentially cyber security best practices that ensure your organization is implementing proactive and consistent controls to maintain data integrity and security.

What is CMMC certification?

Having CMMC certification means your organization has proven that its practices and safeguards are validated, increasing assurance that you’re meeting all cybersecurity requirements in regards to CUI and federal contract information (FCI).

Certification itself occurs after a certified, third-party assessor conducts an audit and issues your organization a passing score. However, the sensitivity of the information you interact with will determine if you need to self-assess or be certified at compliance Level 1, Level 2, or Level 3. In order to better understand how this applies to your business, let’s take a look at those levels now.

Levels of CMMC compliance

When it comes to CMMC compliance, each of the three levels of certification builds upon the level that comes before it. For example:

• CMMC Level 1: Known as the foundational level, Level 1 is based on 17 practices and only applies to organizations that focus on the protection of FCI. This requires an annual self-assessment.
• CMMC Level 2: The advanced level is for organizations working with CUI, and mirrors the 110 security controls of NIST SP 800-171 (more on this later). This requires annual self-assessments for select programs, as well as triennial third-party assessments for critical national security information.
• CMMC Level 3: The expert CMMC level is based on the over 110 security controls of NIST SP 800-171 and 172 and is designed for companies working with CUI on the DoD’s highest priority programs. This requires triennial government-led assessments.

How to get CMMC certification?

Like many compliance processes, getting CMMC certified starts by first determining which level you'll need to be certified at, followed by performing a gap analysis. From here, you’ll want to remediate any gaps and implement any CMMC-specific requirements that may be missing. You’ll then need to undergo an observation phase, during which your organization will prove that the required controls aren’t just implemented but are actually working.

Now you’re ready to go for the self assessment or certification! If you’re Level 1 or fall into the area of Level 2 that doesn’t require certification, then you’ll perform an annual self-assessment. However, if you fall into the other areas of Level 2 or are a Level 3 organization and do need to become certified, then a Certified 3rd Party Organization (C3POA) of your choice will review your documentation, assess your security stance, and then issue a report to the Cyber AB (formerly the CMMC Accreditation Body), which will award the certification.

When does CMMC 2.0 go into effect?

While CMMC is already 'in effect', the DoD plans to publish their initial CMMC 2.0 requirements in March 2023 for the 60-day review and comment period. After this period has ended, the first phase of CMMC 2.0 compliance will go into effect. This will require every contractor working on a DoD project to complete a self-assessment. Next will come the second phase of CMMC 2.0 compliance, which will require the third-party auditing of a contractor’s cybersecurity practices.

Seeing as it will take some time for CMMC 2.0 to reach all defense contracts, the DoD hopes to be able to have all phases of CMMC 2.0 compliance into effect by October 1, 2025. However, CMMC 2.0 requirements should begin to appear in all contracts starting June 2023.

What does this mean for you? If you want to be able to continue to bid on DoD work, you’ll need to be fully CMMC compliant by then.

How NIST sets you up for CMMC

The CMMC uses the NIST SP 800-171r2 framework, which is a voluntary cybersecurity framework designed to safeguard CUI. This means if you already have and maintain ongoing NIST 800-171 compliance, you’re well on your way to achieving the soon-to-be mandatory CMMC certification.

How Strike Graph can help

While Strike Graph doesn’t currently support CMMC specifically, we do support the CMMC journey via the NIST 800-171 framework. That’s because our flexible compliance platform allows you to assign controls and evidence to any framework — CMMC included.