CMMC Certification – Everything You Need to Know

two people looking at laptop researching information on cmmc certification

In the past several years, Department of Defense (DoD) contractors have had to tackle a new initiative to ensure the security of the DoD and to protect government-related sensitive data – the Cybersecurity Maturity Model Certification (CMMC) program.

Introduced in 2020, the CMMC program requires any current or future DoD contractor to receive CMMC certification before entering into a formal partnership or contract with the DoD. The certification process applies to IT companies and defense contractors near me that handle security-sensitive data and information, including cybersecurity companies. However, it also applies to any DoD contractor or subcontractor with connection to the Department of Defense.

Even a subcontractor that provides snacks for government vending machines or performs landscaping services for DoD offices will need to be CMMC compliant, including IT companies near me. This can be a daunting process for contractors who are unfamiliar with the CMMC framework. However, with the right support and guidance, IT companies near me can achieve compliance and continue their partnership with the government.

History of Cybersecurity Maturity Model Certification (CMMC)
The High Risk of Not Having CMMC
What is the CMMC Program?
Understanding FCI and CUI
Navigating the Differences Between the Original CMMC and CMMC 2.0
What DoD Contractors Must Achieve Certification?
The Three Levels of CMMC 2.0
Does CMMC Apply to All Government-related Work?
How is CMMC Certification Achieved?
When it Comes to CMMC’s Unique Practices, Emeritus Can Help!

The Process of Obtaining the Cybersecurity Maturity Model Certification

There are multiple CMMC requirements to take into consideration to achieve a specific CMMC level, and the department-initiated rulemaking process is constantly changing.

In fact, shortly after the CMMC program was introduced in 2020, the Department of Defense announced an updated and enhanced CMMC 2.0 version was announced roughly a year later. Therefore, the government added an extra layer of cybersecurity best practices for DoD contracts.

If you are a company currently working with the Department of Defense (or want to work with the government via a DoD contract in the future), understanding the CMMC model should be a top priority. Emeritus has a team of registered practitioners who can handle all the details of CMMC compliance (and perform an intricate and individualized CMMC assessment). However, it’s helpful to understand the basics of the cybersecurity maturity model certification process to get started.

male at computer monitoring cybersecurity and has cmmc certification

History of the Cybersecurity Maturity Model Certification (CMMC)

Though cybersecurity is a hot topic and appears to be a concerning issue, federal government-based cybersecurity controls and cybersecurity requirements are by no means new. In fact, the first cybersecurity maturity model was introduced in 1986, well before the broader world had ever heard of the internet.

Before introducing the CMMC framework and the later CMMC 2.0 version, there were guidelines and documentation in place for DoD contractors and subcontractors to ensure communications protection and cybersecurity standards.

Before the CMMC program, contractors were advised to follow the National Institute of Standards and Technology’s 800-171 guide for protecting controlled unclassified information (CUI). However, this process had its pitfalls and was somewhat ineffective. For one thing, these cybersecurity requirements were not necessarily monitored and were based on the self-assessment of defense industrial base (DIB) contractors.

As a result, many cybersecurity standards fell by the wayside – not because defense industrial base (DIB) contractors were negligent, but simply because these cybersecurity processes were not a priority in a DoD contract.

The High Risk of Not Having CMMC

In a 2018 report issued by the Council of Economic Advisers (CEA), the economic costs of malicious cyber activity were thoroughly examined across all sectors, and the results were staggering.

Per the report, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 alone. Therefore, any attacks on critical infrastructure sectors – like the many-pronged facets of the DoD’s operations – would be highly damaging to the U.S. economy.

Reports like these, as well as a noticeable rise in cybercriminal activity from the U.S. as well as abroad, led to a new rulemaking process for cybersecurity requirements.

The CMMC program was launched in 2020. According to the OSD Federal Register, the Department initiated an internal assessment of the original CMMC 1.0 implementation that was informed by more than 850 public comments in response to the interim DFARS rule.

Simply put, as the OSD federal register outlined, the proposed rules of the CMMC 1.0 were put to the test. Therefore, they were subsequently adapted and changed based on the CMMC program’s first few months of existence.

The CMMC 2.0 was introduced in late 2021, and the changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process, with all IT companies and DoD contractors expected to achieve CMMC compliance by 2026.

malware and phishing attack

What is the CMMC Program?

Per the Department of Defense, the Cybersecurity Maturity Model Certification (CMMC) program is aligned with DoD’s information security requirements for DIB partners.

The CMMC framework is designed to ensure the protection of sensitive unclassified information shared between the Department of Defense and its contractors and subcontractors, including IT companies near me. The program assures the DoD that contractors and subcontractors are meeting the cybersecurity requirements. Additionally, these requirements apply to acquisition programs and systems that process controlled unclassified information.

Having CMMC compliance in hand means that contractors will have a better opportunity to bid (and win) contracts with the DoD, both now and in the future.

Understanding FCI and CUI

When it comes to the CMMC program, there are two types of data or information that are generally protected from disclosure or unauthorized use:

  • Controlled Unclassified Information (CUI) requires safeguarding pursuant to and consistent with applicable laws, regulations, and government-wide policies.
  • Federal Contract Information (FCI) is information not intended for public release and provided by or generated for the government under a contract to develop or deliver a specified product or service.

The majority of DoD contracts deal with controlled, unclassified information. However, both sets of data may need to meet the cybersecurity standards of the maturity model certification (CMMC) process.

On November 4, 2021, the Department of Defense announced a new and strategic direction for the Cybersecurity Maturity Model Certification (CMMC) program, marking the completion of the internal program assessment that tested the original CMMC framework.

Per a DoD press release issued at the time of the launch of CMMC 2.0, the enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, with the following adjustments identified in the rulemaking process by:

  • simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements.
  • focusing on the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs.
  • increasing Department oversight of professional and ethical standards in the assessment ecosystem.

“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” stated Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, in the 2021 press release. “By establishing a more collaborative relationship with the industry, these updates will support businesses in adopting the practices they need to thwart cyberthreats while minimizing barriers to compliance with DoD requirements.”

The defense industrial base is the target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Through DoD contractors, bad actors can spiderweb into numerous systems and data, including sensitive federal contract information and other info that can be damaging to the government and the U.S. economy.

By enhancing DIB cybersecurity to meet these advanced persistent threats and safeguarding the information that supports and enables all aspects of government operations, the government’s cybersecurity and acquisition leaders can minimize future cybersecurity risks.

data breach on mobile phone

What DoD Contractors Must Achieve Certification?

Furthermore, any company with a DoD contract (or bidding for a DoD contract) should achieve CMMC certification to cover all its bases. However, when it comes to creating a system security plan in order to maintain compliance with CMMC 2.0, there are multiple CMMC levels that outline the levels of cybersecurity standards that a company must adhere to.

The Three Levels of CMMC 2.0

Unlike the previous policies (like the NIST 800-171), the DoD-developed CMMC and CMMC 2.0 have multiple levels of best practices and processes. These range from “basic cyber hygiene” to more advanced cybersecurity measures that correlate with sensitive defense industrial base contracts.

Starting at CMMC level 1, each level represents a higher tier of security. For a company to achieve certification at a higher level, it must demonstrate that they have also met the cybersecurity standards of the lower levels.

Note: One of the major changes in CMMC 2.0 is that the number of levels changed from five in the original CMMC framework to just three, which still range from basic cybersecurity best practices to more advanced security measures.

The federal contract information typically outlines the CMMC level that a specific DoD contractor requires. However, the guidelines for each CMMC level are as follows:

Level 1

Foundational Cyber Hygiene Practice: This level requires basic cybersecurity protocols deployed by most companies. To reach Level 1, firms need to implement 17 NIST SP 800-171 Rev2 controls.
Who needs CMMC Level 1 compliance? DoD contractors and subcontractors that handle Federal Contract Information (FCI) will typically need CMMC level 1 certification.

Level 2

Advanced Cyber Hygiene Practice: This level requires all 110 NIST SP 800-171 Rev2 controls to achieve Level 2 certification. Level 2 practices are earmarked as advanced cyber hygiene practices, a middle ground between level 1 and level 3. Depending on the DoD contract, some organizations may also need to pass a higher-level third-party assessment (C3PAOs) every three years.
Who needs CMMC Level 2 compliance? DoD contractors and subcontractors that handle CUI data connected to national security (regardless of whether it is critical or non-critical) will generally need to meet level 2 compliance.

Level 3

Expert Cyber Hygiene Practice: This level includes advanced cybersecurity processes that are implemented, reviewed, and updated across a company’s operations. Companies need to implement all NIST 800-171 controls plus an additional subset of NIST 800-172 controls.
Who needs CMMC Level 3 compliance? DoD contractors and subcontractors that handle CUI for DoD programs with the highest priority or security will generally need to acquire Level 3 compliance.

cybersecurity cmmc certification

Does CMMC Apply to All Government-related Work?

When it comes to the broader realm of public information, CMMC certification may not be required.

Public information is described as data that is “public release approved,” or which is data that is available from an uncontrolled, publicly available government source. This includes public information with media protection, like industrial output forecasts intended for general release and publication.

Handling public information does not require special controls and is not included in official CMMC guidelines. This means that DoD contractors and subcontractors that only work with public information (like media outlets), will likely not require CMMC certification.

ransomware attack department of defense cmmc certification

How is CMMC Certification Achieved?

Once CMMC 2.0 is officially implemented, all DoD contractors will need to obtain a third-party CMMC assessment.

The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO).

Accredited C3PAOs will be listed on The Cyber AB Marketplace, and the DIB company will be fully responsible for obtaining the needed assessment and certification. This includes coordinating and planning the CMMC assessment.

After completing the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access and review.

It is estimated that by the end of 2025, all DoD contractors will be required to obtain CMMC assessments and CMMC certifications.

The Process of Obtaining CMMC Certification

The most important question for most current and future DoD contractors when it comes to CMMC compliance is, “where should I begin?

Achieving the various CMMC levels may require several adjustments to a company’s configuration management, physical protection measures, and other CMMC unique practices. This can all ensure a certain level of security when it comes to classified and unclassified information.

Also, keep in mind that as the rulemaking process evolves, any interim rule of the current CMMC model is subject to change. Achieving cybersecurity maturity model certification can be a challenging endeavor. Which is why a company’s certification acquisition leaders must review all aspects of their systems before requesting a third-party CMMC assessment.

cybersecurity experts assisting businesses obtain cmmc certification

When it Comes to CMMC’s Unique Practices, Emeritus Can Help!

Achieving cybersecurity maturity model certification (CMMC) takes time, possibly up to six months or even more. This is why it’s essential for current and future DoD contractors to have all their ducks in a row well before securing CMMC certification.

At Emeritus, we can help with these company-wide details, ensuring that the policies, solutions, and systems that you have in place meet the new standards of CMMC 2.0.

It’s essential to have cybersecurity measures in place, for your company’s security and to broaden your opportunities in the months, years, and decades ahead. The federal government works with contractors across all industries and specialties. That is why achieving CMMC compliance can open many new contracts and jobs that can rebound well into the future.

Let’s dive deeper into the cybersecurity practices you have in place and how we can help you advance your cybersecurity policies and measures to the next level.

With Emeritus as your background cybersecurity partner, you can be well-equipped when it comes time to garner your cybersecurity maturity model certification. More importantly, you can ensure the right protection for your company inside and out regarding any cybersecurity threats that may appear ahead.

Reach out to us today.