CMMC Compliance 101: 5 Things To Know

The Internet, indeed, is a powerful medium to transfer and store valuable information. For this reason, the black market for illegal acquisition of this information has become a massive business. Many are leveraging those data to get gain, commit criminal acts, and even terrorize a nation.

Cyber threats and terrorism are a real thing, and they’re happening right now. In fact, the United States Council of Economic Advisers estimated that malicious cyber activity cost the US economy between USD$57 billion and USD$109 billion in 2016 alone. And, although the Department of Defense (DoD) has made the necessary efforts to minimize those threats, more changes have to be made.

This brings the focus on CMMC, a new standard that defense contractors must adhere to in order to observe appropriate cybersecurity levels. The two-fold mission of the CMMC is to ensure that all companies that do business with the Department of Defense are practicing the highest level of security, while at the same time avoiding the risk of losing their contracts.

So, if your business works with the DoD, read on to learn everything you need to know about how you can comply with these new changes.

Source: CyberSheath

1. What Does CMMC Stand For

CMMC stands for Cybersecurity Maturity Model Certification, a new certification model that aims to unify the implementation of cybersecurity across Defense Industrial Base (DIB) contractors. CMMC helps ensure that DIB contractors have the means to protect sensitive data, which include Confidential Unclassified Information (CUI) and Federal Contract Information (FCI).

The CMMC combines existing cybersecurity requirements, like NIST SP 800-171, NIST SP 800-53, ISO 27001, and ISO 27032. This promotes more comprehensive and coherent cybersecurity standards, thus, unifying previous models to achieve far more sophisticated security.

Everyone who’s doing business with the Department of Defense is required to obtain CMMC. To do this, contractors must hire a Certified Third-Party Organization (C3PAO), like Beryllium Info Sec, to conduct the audit.

2. Why Is CMMC Important

Before the DoD implemented the new CMMC standard, contractors were allowed to self-assess their cybersecurity standards. That means businesses merely had to attest that they’re meeting the requirements set by the DoD. But, what if they’re not?

Although some contractors were able to comply with the requirements, others weren’t able to meet the standards. And, some contractors may even implement sub-par security to safeguard highly classified information. With that said, self-assessment isn’t the most effective way to achieve the highest level of protection. Even if contractors adhere to the requirements, a simple error could cause a catastrophic breach.

For this reason, the US Department of Defense decided to implement the CMMC to enhance security controls by mandating contractors to undergo certain levels of accreditation from third parties to help guarantee total security. In addition, contractors must renew their certifications every three years. Failure to comply with these terms will mean termination or disqualification for new contract opportunities.

The purpose of CMMC is as follows:

  • Eliminates cyber vulnerabilities within the supply chain.
  • Ensures DoD contractors implement cybersecurity controls based on the mandatory CMMC certification.
  • Safeguards CUI and FCI within the contractor’s networks.
Source: Lepide

3. The Requirements

Requirements for CMMC certification depend on the level of certification required. Currently, the CMMC has five certification levels that help describe the organization’s capability and reliability in terms of securing highly sensitive government information residing in their systems. It works through a tiered hierarchy, wherein your company must meet the requirements from levels one through four first before getting to the fifth and highest level.

The requirements a contractor needs to meet are divided into 17 domains. These include:

  • Access Control (AC)
  • Incident Response (IR)
  • Risk Management (RM)
  • Asset Management (AM)
  • Maintenance (MA)
  • Security Assessment (CA)
  • Awareness and Training (AT)
  • Media Protection (MP)
  • Situational Awareness (SA)
  • Audit and Accountability (AU)
  • Personnel Security (PS)
  • System and Communications Protection (SC)
  • Configuration Management (CM)
  • Physical Protection (PE)
  • System and Information Integrity (SI)
  • Identification and Authentication (IA)
  • Recovery (RE)

The good news is that contractors may be able to knock off a few requirements on each level since CMMC compliance shares some items with existing certifications, like ISO 27001, ISO 27032, NIST SP 800-171, and NIST SP 800-53. However, do note that CMMC compliance contains more requirements than other certifications.

Source: Forescout

Here’s a quick view of the requirements for each CMMC level:

  • Level 1

Organizations with level 1 security must perform basic cyber hygiene practices, which require installation and regular running of antivirus software.

  • Level 2

To achieve CMMC level 2 certification, a contractor must meet the requirements from level 1. At the same time, they should implement intermediate cyber hygiene and documentation of CMMC practices and policies.

  • Level 3

Level 3 certification includes all the NIST 800-171 security requirements, along with good cyber hygiene practices. This means implementing 130 procedures from NIST 800-171 Rev 1 and 20 more from CMMC to promote good cyber hygiene.

  • Level 4

Being the penultimate certification level, contractors with level 4 security must be equipped with the resources to respond, prevent, and counter cybersecurity incidents.

  • Level 5

By executing cybersecurity requirements from levels 1 through 4, a contractor at level 5 must implement progressive cybersecurity practices and optimized processes across the whole organization.

Source: Hyperproof

4. How To Get Certified

As mentioned earlier, the Department of Defense requires all organizations working with them to get CMMC certification. With that said, if you’re a contractor who wishes to continue working with the DoD, you need to meet the CMMC requirements and obtain certification.

A contractor can obtain a CMMC certification by hiring a C3PAO to assess their security practices. Third-party assessors help ensure that an organization implements all the requirements necessary based on their CMMC level clearance. Without the certification provided by assessors, contractors will inevitably lose their business with the DoD.

Source: NQA

5. When Do You Need To Comply

Since the Department of Defense just recently rolled out these changes, contractors can expect a more lenient timeline for the CMMC’s full implementation. Because of its framework’s comprehensive nature, the CMMC requirements are being rolled out gradually over the next five years. But, do note that organizations who implement this new model right away will have more advantage in obtaining DoD contracts over other companies.


Cyber threats are becoming more and more rampant these days. For this reason, the US Department of Defense has implemented the Cybersecurity Maturity Model Certification to ensure that highly sensitive government data are secure and protected. Contractors working with the DoD must make the necessary organizational changes to get up to speed with this new model. Doing so will allow them to renew their contracts and keep their businesses with the Department of Defense.

About Lola Mays