CMMC is a framework created by the U.S. Department of Defense to make sure that companies working with the DoD have strong cybersecurity practices. CMMC ensures that companies protect important information related to national security, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

The CMMC was created in response to several major cybersecurity issues. 

First, an increasingly sophisticated national security and threat landscape. The Defense Industrial Base (DIB) — basically the network of organizations that supply products, services, and technology to the military — has been a prime target for a rise in cyberattacks, with adversaries seeking to exploit vulnerabilities to steal sensitive information and intellectual property. Compromised data can have severe implications, including undermining military operations and technological advantages.

Second, to standardize inconsistent cybersecurity practices. Prior to the CMMC, information security practices across the DIB varied widely. Many contractors did not have adequate measures in place to protect sensitive information, leading to breaches and compromised data.

By requiring annual self-assessments or third-party certification, the DoD ensures that all contractors meet a baseline level of security. CMMC also aligns with broader regulatory efforts to enhance cybersecurity, including other federal initiatives and policies designed to protect critical infrastructure and sensitive information such as NIST standards, the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), various Executive Orders, and national cybersecurity initiatives. 

Third, to secure the defense supply chain, which includes a vast network of companies, from large prime contractors to small subcontractors. The CMMC ensures that all entities within this supply chain adhere to robust cybersecurity standards, reducing overall risk across the DoD and ultimately for national security.

There are three levels of CMMC 2.0 compliance, depending on the type of information the organization handles.

• Level 1: Foundational ensures that companies implement basic cybersecurity practices to protect FCI.
• Level 2: Advanced aligns with NIST SP 800-171 Rev 2 and is designed for organizations handling CUI. 
• Level 3: Expert incorporates additional NIST SP 800-172 controls to protect against Advanced Persistent Threats (APTs). APTs are highly sophisticated and targeted cyberattacks designed to infiltrate a network, remain undetected for extended periods, and systematically extract valuable data. 

What is CMMC certification?

Being CMMC certified means that an organization has met the stringent cybersecurity standards required by the DoD for handling FCI and CUI. 

Benefits of CMMC certification

• Demonstrated cybersecurity posture: CMMC certification verifies that an organization has a robust cybersecurity framework in place and follows best practices to protect sensitive information.
• Contract eligibility: Certification is a requirement for organizations wishing to bid on and participate in DoD contracts. Without CMMC certification, companies cannot compete for DoD contracts that involve sensitive information.
• Competitive advantage: Achieving CMMC certification can provide a competitive edge in the market, as it demonstrates a commitment to cybersecurity and compliance, which can be attractive to other potential clients and partners.
• Risk management: The certification process helps organizations identify and mitigate cybersecurity risks, leading to improved overall security and reduced likelihood of data breaches.
• Regulatory compliance: CMMC certification ensures compliance with DoD requirements, which can also help in meeting complementary regulatory and security standards such as NIST CSF, SOC 2, and NIST SP 800-53. 

CMMC 2.0: An overview of the major changes

Announced in November 2021, CMMC 2.0 introduced significant changes to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses. These changes make the framework more practical and accessible while maintaining robust cybersecurity practices to protect sensitive information.

Let’s overview the major framework updates:

Reduced number of levels

CMMC 2.0 reduced the number of certification levels from five to three:

• Level 1 (Foundational): Basic cyber hygiene practices.
• Level 2 (Advanced): Aligns with NIST SP 800-171 practices.
• Level 3 (Expert): Aligns with a subset of NIST SP 800-172 controls, focused on advanced/progressive cybersecurity practices.

Closer alignment with National Institute of Standards and Technology (NIST) Standards

The practices required for Level 2 and Level 3 compliance now align more closely with existing NIST SP 800-171 and NIST SP 800-172 standards, making it easier for organizations already following these frameworks to comply with the CMMC.

Self-assessments for certain levels and contract types

Organizations can now perform annual self-assessments for Level 1 compliance instead of requiring third-party assessments.

Level 2 assessments are now split into two categories. Critical contracts still require third-party assessments by a certified third-party assessment organization (C3PAO) every three years. For certain non-critical contracts, Level 2 compliance can be achieved through annual self-assessments rather than third-party assessments, with an affirmation by a senior company official.

Level 3 requires an assessment conducted by the DoD. Organizations seeking Level 3 certification should have first received a Level 2 final certification assessment.

By allowing self-assessments for Level 1 and certain Level 2 contracts, CMMC 2.0 aims to reduce the compliance burden and associated costs, particularly for small and medium-sized businesses.

More focused requirements

CMMC 2.0 removed some unique CMMC requirements that were not aligned with existing standards. The streamlined levels and practices also focus more precisely on protecting CUI, which is a primary concern for the DoD.

Stronger accountability and transparency

Organizations performing self-assessments must have a senior company official affirm the assessment results, enhancing accountability. Clearer guidelines and requirements also aim to increase transparency and understanding of what is needed for compliance.

With the phased implementation that began in May 2023, CMMC 2.0 is projected to be included in all DoD contracts as soon as 2026. However, it’s important to note that even if CMMC isn’t in your organization’s DoD contract by a certain date, as soon as the CMMC final rule is released it will be rolled out to the market and applicable for audits. To be competitive within the DoD marketplace, organizations will need to prioritize compliance with CMMC 2.0. Prime contractors will also likely favor subcontractors who are more prepared to protect their supply chain.