Everything you need to know.
What is CMMC?
CMMC is a standard regulation for the implementation of cybersecurity for Defense Industrial Base (DIB) companies. Mandated by the Department of Defense (DOD), The CMMC framework consists of comprehensive assessments and scalable certifications to verify the implementation of processes and policies associated with the achievement of a cybersecurity maturity level.
DIB companies ensure their level of maturity depending on which level of CMMC certifications are achieved.
What does CMMC stand for?
The acronym stands for Cybersecurity Maturity Model Certification.
Why was CMMC created? What is the purpose of obtaining CMMC certification?
The CMMC framework is designed to provide increased levels of assurance to the DoD that DIB companies are adequately equipped to protect controlled unclassified information (CUI).
This certification verifies that contractors or C3PAOs have adequate cybersecurity controls and compliance policies in place to meet the DoD’s security standards.
The Department of Defense (DoD) has released the Cybersecurity Maturity Model Certification (CMMC) Version 1.0, a new framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. CMMC is an evolution of DFARS 252.204-7012 (NIST SP 800-171), but now requires third-party attestation.
Why is CMMC important?
In short, the CMMC provides clients with reassurance about a contractor’s security protocols.
Serving as a verification mechanism, CMMC is designed to ensure appropriate levels of cybersecurity controls and processes are adequate in protecting all data and information. Achieving a high-level CMMC accreditation is a sign that the Defense Industrial Base (DIB) company meets the DoD’s core objectives when it comes to cybersecurity.
Who needs CMMC Certification? Who does CMMC apply to?
Although CMMC Version 1.0 was recently released, all organizations that provide services to the DoD will eventually need to be CMMC certified to bid on future DoD solicitations. That said, it is not expected that CMMC will be retroactively applied to existing contracts or their options years until at least 2026.
Even small businesses that provide a service or product and work indirectly with the DoD will need CMMC.
Will CMMC ever be required outside of the DoD?
It’s hard to definitively determine at this point. That said, at a recent ISSA Webinar, Katie Arrington, Chief of Information Security for Acquisition, Department of Defense discussed the adoption of CMMC at the larger federal level. She stated, “I think that this (CMMC) is definitely going to go outside DoD. I know it is.”
Who issues CMMC certification?
A non-government body called the CMMC accreditation, or accreditation board (AB), is an organization made up of industry professionals, government officials, etc. that understand what the DOD needs and how private industries can relate back to it.
With a few different certifications that are available to the private industry surrounding CMMC, the CMMC-AB members will authorize and accredit C3PAOs and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements.
Types + Levels of 3rd Party CMMC Certifications
What are C3PAOs?
CMMC Third Party Assessment Organizations (C3PAOs) are certified CMMC assessors responsible for conducting CMMC assessments on behalf of the DoD. Once the assessment is completed, the C3PAO can appropriately issue CMMC certificates.
C3PAOs are authorized to:
What are RPOs?
The role of Registered Provider Organizations (RPOs) is largely consultative. RPOs are well-versed in CMMC and help Organizations Seeking Certification (OSC) within the Defense Industrial Base (DIB) navigate the CMMC process.
As part of the RPO certification process, each organizational applicant must have at least one Registered Practitioner (RP) – someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” — must be “associated” (as an employee or contractor) with the RPO at all times.
At this point, RPOs looking to achieve C3PAO status may offer assistance around setting up the initial self-assessment and management of the action items that come out of the self-assessment in preparation for CMMC.
What role does a CMMC Audit play within the certification process?
CMMC Certifications are achieved through passing an external audit. Otherwise known as a CMMC Audit, it is an assessment of your organization’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO).
When will CMMC be required? When will CMMC audits begin?
The Department of Defense (DoD) is implementing CMMC through a rollout schedule by phases. Organizations have until September 30, 2025, to be CMMC certified – the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation. Keep in mind that dates are contingent on moving parts:
How much does CMMC cost? Is CMMC pay-to-play?
Since the CMMC certification is a new requirement, concrete costs are yet to be determined. What we do know is that there will be a varying range of costs depending on the level of CMMC achieved, along with preparation and audit costs.
In order to determine the variables that do impact the cost, start by asking the following questions:
To give a well-informed estimate, not including preparation and audit expenses, it could cost an organization pursuing a CMMC Level 1 certification from $3000 to $5000. As the levels go up, the cost increases.
Achieving CMMC requirements for small businesses + SMBs:
While market forces will ultimately dictate the audit costs, the DoD has considered the financial burden that CMMC poses to SMBs.
At the end of the day, the cost depends on your cybersecurity maturity and can be anywhere from $20,000-$100,000. Companies with less mature environments – think non-compliance with comparable regulations like NIST 800-171 – will need to contend with consulting fees, increased CAPEX (on things like multifactor authentication, mobile device management, log monitoring), and increased OPEX (on things like security awareness training, additional personnel, etc.
Are there penalties for noncompliance with CMMC?
Because the CMMC certification is a prerequisite for working with the DoD and is awarded by levels, the DoD anticipates that it will not impose penalties for CMMC noncompliance. However, failure to qualify for a required certification level will prevent a contractor from working with the DoD.
CMMC Domains: The CMMC maps controls and processes across five certification levels,
ranging from “Basic Cybersecurity Hygiene” to “Advanced”.
What are the levels of CMMC?
Total Controls: 17
CMMC Practices / Requirements: The minimum CMMC certification level requires basic cyber security measures and only requires that processes are performing, at least in the ad hoc manner. The 17 controls, or practice requirements, are equivalent to the 15 practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, and are also equivalent to 17 practices drawn from NIST SP 800-171 Rev 1.
CMMC Processes: Practices are performed
Total Controls: 7
CMMC Practices / Requirements: A level 2 CMMC certification requires intermediate cyber security measures and requires documented information on all CMMC practices and policies. On top of having everything documented, third-party assessors will also require the organization to have a policy put in place that encompasses all activities.
In addition to the 17 controls required from CMMC level 1, level 2 adds 55 new practices totaling that to 72 controls. These new practices include policies about levels for account access privilege, incident response and remediation plans, and other mid-level cyber security measures.
CMMC Processes: Practices are documented
Total Controls: 130
CMMC Practices / Requirements: A level 3 CMMC certification combines everything from the previous 2 levels and requires that an organization must maintain and resource a plan encompassing all activities.
There are a total of 130 controls at level 3, which includes the coverage of all practices from NIST SP 800-171 Rev 1, and 20 additional practices protecting controlled unclassified information (CUI) and ensuring cyber security methodologies are moderately resilient and comprehensive.
CMMC Processes: Practices are maintained and followed
Total Controls: 156
CMMC Practices / Requirements: A level 4 CMMC certification incorporates proactive practices to continually improve and enhance an organization’s cyber security capabilities in detection, response, remediation, and further protection.
There are 156 total controls in level 4. In addition to the controls from levels 1 to 3, 11 out of the 26 new practices are from the Draft NIST SP 800171B. Other additional cyber security measures a level 4 certified organization must have in place are detecting and addressing changing TTPs used by Advanced Persistent Threats (APTs).
CMMC Processes: Practices are regularly reviewed and improved across enterprise
Total Controls: 171
CMMC Practices / Requirements: At the highest CMMC certification level, level 5, an organization is seen as highly advanced in their cyber security practices with continuous and optimized enterprise improvement.
Encompassing all controls of levels 1 through 4, level 5 organizations must have an improved standardized, documented approach across enterprise. Level 5 introduces 15 new practices, 4 of which are from the Draft NIST SP-171B and 11 of which have to do with advanced cyber security measures, for a total of 171 controls. This strengthens the level of CUI protection, creating a more sophisticated cyber security system.
CMMC Processes: Practices show continuous enterprise improvement
How to become CMMC certified?
To become CMMC certified and achieve compliance, Defense Industrial Base (DIB) companies must be audited and assessed by a certified third-party assessment organization (C3PAO) or an accredited individual assessor.
If you’re seeking to become CMMC compliant, here are a few steps to consider before getting audited:
Note that specific findings audited by the C3PAO will be confidential. Any level achieved will be made public knowledge.
Steps to CMMC Certification
The CMMC Interim Rule’s overall objectives are to instill that CMMC is the new cybersecurity framework for DoD contracts while instructing contractors to perform a self-assessment based on NIST 800-171 and reporting their score to the DoD.
Interim Rule Self-Assessment levels are defined in the interim rule as follows:
This is a self-assessment done by contractors using the DoD Assessment Methodology. This could go two ways: (1) If an organization has implemented all 110 controls outlined in NIST SP 800-171, then the score received and recorded in the SPRS Basic Assessment is 110. (2) If an organization has not implemented all 110 controls, then the Assessment Methodology is used to figure out that score. Each unimplemented control is assigned a specific value within the Assessment Methodology and is to be subtracted from the total score of 110. Within 30 days of completing the assessment, contractors must post their score and the date by which they will achieve full compliance in SPRS. Until then, the assessment resulting score is a confidence level of “Low”.
At this level, an assessment is conducted by the Government in which access to all systems and personnel needed to perform this assessment must be provided by the contractor. This assessment includes a review of the contractor’s Basic Assessment, as well as, a thorough document review, and discussions with the contractor for additional information as needed. The assessment resulting score is a confidence level of “Medium”.
The assessment at the highest level combines both the Basic and Medium Assessments while also includes the verification, examination, and demonstration of the contractor’s system security plan, validating the implementation of NIST SP 800-171 security requirements. The assessment resulting score is a confidence level of “High”.
Avertium, a CMMC registered provider organization (RPO), is an expert in CMMC Assessment, Readiness, and Program Creation. Avertium will get to know your organization, set a baseline maturity index, and work with you tailoring a path to compliance and security program improvement that fits the way you do business.