Understanding the CMMC, 2024 Complete Guide

The Cybersecurity Maturity Model Certification (CMMC) represents the Department of Defense’s (the Department) strategic response to the escalating frequency and sophistication of cyberattacks, safeguarding American innovation and national security information. It aims to enhance the cybersecurity and cyber resilience of the vast network of contractors and subcontractors within the Defense Industrial Base (DIB), ensuring that acquisition programs and sensitive defense information are adequately protected.

October 2024 Update: On October 11, 2024, the Department of Defense finalized the rule for CMMC 2.0, officially setting the stage for implementation in early 2025. This solidifies the streamlined three-level model and introduces key provisions, such as conditional certification through Plans of Action and Milestones (POA&Ms). While the extended timeline allows more time for preparation, entities within the Defense Industrial Base (DIB) should begin aligning with these requirements immediately to strengthen their cybersecurity and cyber resilience.

This Complete Guide by SaltyCloud provides a thorough overview of the CMMC, delving into its structure, specific requirements, and the certification process. It is designed to equip defense contractors with the essential knowledge and insights needed to navigate the requirements effectively.

What is Cybersecurity Maturity Model Certification (CMMC)?

CMMC (Cybersecurity Maturity Model Certification) is a compliance framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by ensuring that defense contractors implement cybersecurity best practices. It creates a unified standard for securing unclassified information across the DIB and holds companies accountable for safeguarding against cyber threats.

The CMMC was developed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)). In collaboration with the Department’s stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and industry partners, the framework integrates various cybersecurity standards and best practices. This collaborative effort ensures that contractors in the DIB meet consistent, robust cybersecurity requirements to protect sensitive information from evolving threats.

What are the 3 Levels of CMMC 2.0?

The most recent version of the CMMC framework consists of three progressively advanced levels: (1) Foundational, (2) Advanced, and (3) Expert.

Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified triennially via a third-party or government-led assessment.

In limited cases, the department intends to allowing uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the Department will allow contractors to ask for a waiver of all requirements. The DoD has yet to release full details regarding POAMs and waivers.

CMMC Level 1: Foundational

CMMC Level 1 will be required for any contractor who handles FCI. These contractors will need to align with 17 basic cyber hygiene practices. These controls can be found in the Federal Acquisition Regulation (FAR) 52.204.21 and are further defined in NIST SP 800-171.

CMMC Level 2: Advanced

CMMC Level 2 will be required for any contractors who handle CUI. These contractors must align with the initial 17 practices from Level 1 and an additional 93 practices in NIST 800-171. As with Level 1 compliance, the DoD will require these contractors to assess their cybersecurity yearly and submit scores and other documentation to the SPRS.

CMMC Level 3: Expert

CMMC Level 3 will be required for any contractors who handle the most sensitive CUI. These contractors need to align with all 110 NIST 800-171 controls and an additional number of controls from NIST 800-172.

CMMC Timeline

In 2015, the Department initiated DFARS, setting cybersecurity requirements for contractors, including adherence to NIST SP 800-171 for safeguarding CUI.

With escalating cyber threats, the Department introduced CMMC 1.0 in 2019, which emphasized third-party certification and required NIST SP 800-171 compliance.

By 2021, CMMC 2.0 was introduced to simplify the framework, reducing levels from five to three and allowing self-assessments for lower levels.

On October 11, 2024, the Department issued the final rule for CMMC 2.0, with publication scheduled for October 15, 2024, and an effective date of December 14, 2024. Contractors must prepare for a phased implementation over the next 2.5 years:

• Phase 1 (December 14, 2024): Requires Level 1 self-assessments and selective third-party assessments for Level 2 contracts.
• Phase 2 (June 2025): Mandatory third-party assessments for Level 2 contracts, ensuring compliance with all 110 controls from NIST SP 800-171.
• Phase 3 (June 2026): Retroactive third-party certification for existing Level 2 contracts.
• Phase 4 (June 2027): Full implementation across all contracts, including option periods, with the inclusion of Level 3 for critical security needs.

Contractors aiming for Level 2 and Level 3 certification should begin preparations immediately. Non-compliance risks disqualification from new contracts or non-renewal of existing ones.

Who needs to comply with CMMC?

All contractors and subcontractors in the DIB must comply with the CMMC program at the level designated in their contract, including prime contractors, subcontractors, and any suppliers within the DoD supply chain.

According to the DoD, forthcoming CMMC requirements stand to affect over 300,000 organizations.

Who manages subcontractor CMMC compliance?

Prime contractors who work with subcontractors will need to manage their subcontractor supply chain network and keep track of data flow.

If a prime contractor shares or discloses CUI as part of a contract award. the subcontractor must meet Level 2 CMMC compliance. Similarly, if FCI is disclose, the subcontractor must meet Level 1 CMMC compliance.

What happens if I don’t comply with CMMC?

Non-compliance with CMMC will result in losing existing DoD contracts and disqualification from bidding on new ones until compliance is achieved. Additionally, the DOJ’s Civil Cyber-Fraud Initiative will hold contractors accountable for cybersecurity-related fraud under the False Claims Act, targeting those who misrepresent their practices or fail to meet obligations related to incident reporting.

Step-by-Step CMMC Compliance Guide

To achieve CMMC certification, contractors must follow a defined process, ensuring compliance with the necessary cybersecurity requirements.

Step 1: Scope your organization

Start by scoping the parts of your organization that handle FCI or CUI. This includes mapping out which systems, personnel, and processes interact with this sensitive data.

Scoping helps to determine which areas of your business must comply with CMMC standards, ensuring you focus resources where they’re most needed.

Step 2: Conduct a NIST SP 800-171 Basic Assessment and submit a SPRS Score

All contractors are required to conduct a NIST SP 800-171 Basic Assessment and submit their score to the SPRS. This self-assessment evaluates how well your organization implements security controls, providing visibility into your readiness.

While the score doesn’t have to meet a specific threshold, submitting it is mandatory for all contractors engaging with the Department.

Step 3: Determine your CMMC level

After the NIST SP 800-171 Basic Assessment, identify which CMMC level is required for your contracts:

• Level 1: Requires implementation of 17 basic controls focused on protecting Federal Contract Information (FCI). Self-assessment is sufficient at this level​
• Level 2: Requires full compliance with all 110 NIST SP 800-171 controls for protecting Controlled Unclassified Information (CUI). Some contracts may require third-party certification.
• Level 3: Adds advanced security measures from NIST SP 800-172, focusing on protection against advanced persistent threats (APTs). Third-party certification is mandatory.

Step 4: Leverage a GRC Assessment Platform

Using a GRC Assessment Platform like Isora GRC can help streamline the entire process:

• Conduct the NIST 800-171 self-assessment: Automate and manage the self-assessment, allowing for accurate tracking of compliance with the required controls.
• Centralize gap and evidence gathering: Isora GRC can help identify areas where your organization doesn’t yet meet requirements, providing a centralized space to document remediation actions with Plan of Action & Milestones (POA&M).
• Manage subcontractor assessments: Keep track of compliance across your entire supply chain, which is critical for ensuring subcontractors also meet CMMC standards.
• Create compliance reports: Generate detailed reports to monitor your progress toward each CMMC level, providing visibility and ensuring readiness for certification.
• Calculate SPRS scores: Use the platform to automatically calculate and submit your SPRS score.

Step 5: Engage a C3PAO (For Level 2 and 3)

For CMMC Level 2 and 3, you must engage a Certified Third-Party Assessment Organization (C3PAO) to perform a formal audit. The C3PAO will review your organization’s security practices, verify compliance with the necessary controls, and provide a certification recommendation to the CMMC Accreditation Body (CMMC-AB).

A GRC Assessment Platform like Isora GRC can also streamline the C3PAO assessment process by providing:

• Automated evidence access: Ensure that the C3PAO can easily access all necessary evidence for compliance without additional manual work.
• Centralized reporting: Generate reports that provide detailed insights into how your organization meets the CMMC requirements, simplifying the review process.

Conclusion

CMMC is the Department’s critical framework to protect FCI and CUI within the DIB. With the finalization of CMMC 2.0 in October 2024, contractors now have clear guidelines and timelines for compliance. Whether pursuing Level 1 (17 controls) or advancing to Level 2 or Level 3 with NIST SP 800-171 and NIST SP 800-172 requirements, understanding and aligning with the right level is key to success.

The compliance journey begins with scoping your organization, conducting the NIST SP 800-171 Basic Assessment, and submitting your SPRS score, which is a foundational step for all contractors. Leveraging a GRC Assessment Platform like Isora GRC can streamline the process, automating evidence gathering, gap analysis, and subcontractor management, while providing critical reporting for internal reviews and C3PAO audits.

Ultimately, ensuring your organization’s alignment with CMMC 2.0 not only safeguards current and future contracts but also demonstrates a commitment to cybersecurity resilience across the DIB. Early and thorough preparation will be essential as the rule-making process unfolds and compliance deadlines approach.