What is CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) program establishes assessment mechanisms to verify defense contractors’ compliance with Department of Defense (DoD) security requirements for the protection of sensitive information. Those security requirements have been in effect since 2017, but self-assessment has been permitted until now and therefore compliance has been weak.

Under CMMC, any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need to achieve 1 of the 3 CMMC levels, as specified in its contract, to be eligible to do defense-related work.

CMMC rulemaking took a huge leap forward with publication of the CMMC Proposed Rule in the Federal Register in December 2023. CMMC requirements are expected to be codified by late 2024 and in contracts by March 2025.

This blog explains the basics you need to know about CMMC, shares the latest information about CMMC’s roll out and projected costs of compliance, and offers tips on how to get started on CMMC compliance.

What is CMMC

The CMMC program is designed to raise cybersecurity levels throughout the Defense Industrial Base (DIB) by better protecting FCI and CUI.

  • FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
  • CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies.

Importantly, CMMC doesn’t change existing cybersecurity requirements for protecting FCI and CUI; rather, it steps up enforcement of security requirements already in effect. Until now, organizations have been permitted to self-assess their compliance with DoD security requirements, but under CMMC the vast majority of defense contractors will need to pass independent third-party assessments. Those will be conducted by CMMC Third Party Assessment Organizations (aka C3PAOs) that are trained and certified by the Cyber AB, CMMC’s official accreditation body.

The CMMC compliance levels

CMMC has three compliance levels, based on the type of information DIB organizations are working with:

  • Level 1 is for organizations working with FCI only and requires compliance with the basic safeguarding requirements and procedures specified in FAR 52.204-21.
  • Level 2 is for organizations working with CUI and requires compliance with the 110 security controls specified in NIST 800-171.
  • Level 3 is for organizations working with CUI and subject to Advanced Persistent Threats (APTs) and requires compliance with NIST 800-172.

Who needs CMMC certification?

If your organization handles FCI or CUI, then you’ll need to achieve CMMC certification at the level specified in your contract. Note that DFARS 7020 requires prime contractors to flow down security requirements to their subcontractors , including CMMC mandates. That means that even organizations far down the DIB supply chain are still subject to CMMC requirements. That’s because cyber criminals know that large, prime defense contractors are well protected, and so typically save themselves time and effort by going after their subcontractors. Raising cybersecurity levels throughout the entire supply chain is one of DoD’s key goals for the CMMC program.

CMMC Compliance Requirements

To be eligible to work on defense contracts, your organization will need to comply with the security controls required at its CMMC level, and undergo assessments as shown in the figure below.

CMMC security and assessment requirements—based on information being handled

Source:DoD Chief Information Officer website

  • Level 1: Defense contractors handling FCI will be required to perform annual self-assessments. At Level 2, just 5% of contractors will be permitted to perform annual self- assessments. This subset includes contractors that, while handling CUI, are working on projects that do not involve sensitive national security information, i.e., non-prioritized acquisitions.
  • Level 2: 95% of defense contractors handling CUI will be required to undergo third-party assessments once every three years. Those will need to be conducted by accredited C3PAOs, who will assess organizations’ compliance with the 110 NIST 800-171 security controls.
  • Level 3: These defense contractors—who by definition are working on the most critical defense programs—will be required to undergo triennial assessments conducted by teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.

Quick Guide to Get Started with CMMC

How does CMMC Differ from NIST 800-171?

CMMC Level 2 security controls exactly mirror the 110 NIST 800-171 security controls. Any organization that handles CUI has a DFARS 7012 clause in its contract that requires compliance with NIST 800-171. That’s been the case since 2017, so organizations should already be well on their way toward meeting CMMC Level 2 security controls.

The key difference is that to achieve CMMC Level 2, self-assessment of compliance with NIST 800-171 will no longer be permitted. Stacy Bostjanick (DoD Chief of DIB Cybersecurity) put it this way in a recent PreVeil webinar:

CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.

Organizations that don’t meet all 110 NIST 800-171 controls on their initial JSVA assessment will be permitted to create Plans of Action & Milestones (POA&Ms) indicating how and when the unmet controls will be met. Additionally, under CMMC—unlike with NIST 800-171—POA&Ms will be time-bound: to achieve CMMC Level 2 certification, organizations will need to address all the deficiencies outlined in their POA&M within 180 days.

CMMC Timeline – When will CMMC be in contracts?

The Title 32 CMMC Proposed Rule was published in the Federal Register in late December 2023 and Title 48 CMMC Proposed Rule was sent to OIRA (Office of Information and Regulatory Affairs) at the OMB (Office of Management and Budget) in May 2024. We expect the CMMC rule to go into force and be codified in DFARS 252.204-7021 by the end of 2024 and in contracts by March 2025. See our CMMC timeline blog for more details.

It is important for contractors to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.

As Matt Travis, CEO of the Cyber-AB, the CMMC accreditation body, said during PreVeil’s 2023 CMMC Summit: “If your one of those companies…hoping that the protracted [CMMC] rulemaking will save you, you’re misguided and that’s a reckless way to run your business.”

Cost of CMMC compliance

Costs associated with CMMC Level 2 certification will vary widely across organizations. Variables include current cybersecurity maturity level, scope of CUI enclave, number of employees that handle CUI, how much preparation organizations can do on their own for their C3PAO assessment, and how much outside expertise will be needed to achieve CMMC Level 2 certification.

On average, the Department of Defense estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, plus the cost of any technology needed to comply, as shown in the table below.

DoD CMMC Level 2 Certification and Cost Estimates for small defense contractors (with < 500 employees or revenue < $7.5 million)

Source: Proposed Rule: Cybersecurity Maturity Model Certification Program
These cost estimates include time spent by both in-house IT specialists and External Service Providers (ESPs)—such as Registered Practitioners (RPs), Certified CMMC Assessors (CCAs), and C3PAOs—that can help organizations achieve CMMC Level 2.

It’s important to note that these cost estimates start at the C3PAO assessment phase and do not include any costs prior to that point. That’s because defense contractors have been required to comply with NIST 800-171—which CMMC Level 2 requirements mirror—since 2017. Therefore, DoD doesn’t consider NIST 800-171 compliance technologies or documentation a new expense.

The good news is that technology solutions that reduce the time and costs to achieve NIST 800-171 compliance and CMMC Level 2 certification are available. PreVeil’s blog, 6 Ways to Save Money on CMMC Certification Costs, will help you better understand the costs involved, and provides tips on how to save money on each step of the CMMC certification process.

How to get started with CMMC compliance

If you’re just starting your CMMC Level 2 compliance journey, you should focus on meeting the 110 controls in NIST 800-171. PreVeil offers a three-step roadmap to NIST 800-171 compliance and CMMC Level 2 certification.

Schedule a Free Compliance Consult with PreVeil:

Set up a free 15 minute session to get personalized answers to your CMMC & NIST 800-171 questions.


1. Adopt a platform that securely stores, processes and transmits CUI.

You’ll need to choose an email and file sharing platform that enables compliance with NIST 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST 800-171 standards; Ask for documented evidence.

Many PreVeil customers have achieved perfect 110 NIST 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete. Moreover, PreVeil can be deployed in hours, uses your existing email addresses, and is easy for your team to use.

2. Use prepared documentation to show compliance and save time and money.

Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming, and costly task. PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more.

3. Identify certified consultants that are familiar with your technology
It’s understandable that many organizations lack the internal security expertise to conduct their NIST 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money. To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants—all with expert knowledge of DFARS, NIST, CMMC and PreVeil.

Now is the time to get started on CMMC compliance. Informed estimates from C3PAOs who have done this work are that it takes typical small to midsize organizations anywhere from 12-18 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.

To learn more

PreVeil is trusted by more than 1,000 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably:

The post What is <span style="color:#f05f2a;">CMMC </span>Compliance appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove. Read the original post at: