Guide: What is CMMC Compliance?
With its significant updates in recent years, you may be wondering, what is CMMC compliance again? As you might expect, the U.S. Department of Defense (DoD) takes data security very seriously. Its servers and systems play host to critical information concerning the military industrial complex, international allies and foes. If that data were to fall into the wrong hands, it could have devastating consequences for the U.S. and its associates.
But, like any other organization—government or private—it leans on external subcontractors and companies for support. Vendors that work with the DoD may process some of the agency’s controlled unclassified information (CUI) as part of the services they provide. If a contractor’s systems aren’t secure, it opens the door to breaches that disseminate CUI outside its intended hands.
The DoD recognizes the risk that a data breach may have on national security. So much so that it introduced the Cybersecurity Maturity Model Certification (CMMC) to gauge the data protections of its third-party vendors. Contractors and companies that do any form of business with the DoD — even if they don’t process CUI—must obtain a CMMC certification. Without a valid CMMC and compliance with those DoD cybersecurity standards, they can’t contract with the DoD.
Table of Contents
What Is CMMC Compliance and Why Is It Important?
Who Needs CMMC Certification?
What Is the Difference Between CMMC 1.0 and CMMC 2.0?
When Will CMMC 2.0 Be Required?
The Levels of CMMC Maturity
How Do You Get CMMC-Certified?
What Is CMMC Compliance and Why Is It Important?
The CMMC is the DoD’s proactive assessment program used to vet prospective and existing vendors with whom it contracts. Companies that are successfully CMMC compliant have the appropriate data security protocols and tools in place to prevent data loss or breaches.
There’s some history of vendor-related data breaches involving the DoD. The most prominent was the SolarWinds breach. During that breach, hackers successfully inserted malicious code into a software update. That code found its way into the systems of over 18,000 customers—including those of the Pentagon and the Treasury and Justice departments.
The SolarWinds breach gave hackers access to plenty of CUI among the federal agencies it infiltrated. Even worse, access continued for over a year before being detected.
Clearly, the federal government doesn’t want hackers infiltrating its systems. Its reliance on third parties for various services increases the risk of a breach. Through the CMMC program, the government aims to mitigate its exposure to bad actors.
There are three CMMC compliance certification levels — I, II and III. The highest certification is CMMC III, while the lowest is CMMC I. The certification required for a vendor depends on whether it handles Federal Contract Information (FCI) or CUI, and if so, by how much.
Vendors with DoD contracts needs some form of CMMC certification. Without it, they won’t qualify to do business with the DoD. If you or your organization has an existing DoD contract or wants to acquire one, getting CMMC-qualified is mandatory.
Who Needs CMMC Certification?
Any business or contractor that handles FCI or CUI should get a DoD CMMC certification. That includes all organizations—from major defense contractors to small businesses. Even if you’re not in the loop of national security issues, your company may need to comply if it touches any FCI or CUI. In fact, you may be more at risk of a data breach since hackers may view your systems as easier to penetrate.
Being CMMC compliant makes it easier to qualify for revenue-generating defense contracts. If that’s something your business goes after, you want to know how the process works.
What Is the Difference Between CMMC 1.0 and CMMC 2.0?
There are two versions of CMMC certification: 1.0 and 2.0. The older version is CMMC 1.0, and it originated in 2019. It initially contained five security maturity levels tracking a contractor’s cyber protections and controls. The government dropped CMMC 1.0 in 2023 in favor of a more simplified approach through CMMC 2.0 with three levels.
CMMC 1.0 included practices outside the NIST SP 800-171 and NIST SP 800-172 standards. Those criteria were specific only to the CMMC certification process. That caused some misunderstanding among contractors seeking a CMMC. The varying CMMC maturity levels also made the process more complex than necessary in the eyes of the government.
Per CMMC 1.0, compliance was only possible if a vendor met all the standards under the security level it applied for. There was no option to address deficiencies and retain certification.
With CMMC 2.0, there are just three security maturity levels. (Level 1 comes from Federal Acquisition Regulation (FAR) clause 52.204-21 and the other two come directly from NIST SP 800-171 and NIST SP 800-172.)
CMMC 2.0 allows vendors to correct any shortfalls in the certification process, so long as they do so within 180 days. There are some limits to deficiency corrections—for instance, a vendor must still score a baseline approval for its certification. If it doesn’t, there’s no option to fix the deficiencies.
When Will CMMC 2.0 Be Required?
CMMC 2.0 became effective on December 16, 2024. Implementation occurs over four phases:
- Phase I: Starts immediately, and new contract solicitations require a Level I or II self-assessment
- Phase II: Begins in December 2025 and introduces the full Level II standards, including third-party audits
- Phase III: Starts in December 2026. Organizations requiring a Level III certification must undergo the appropriate government-led security audit.
- Phase IV: Begins in December 2027. New defense contracts include language stipulating the CMMC Level requirements.
In short: if you plan on bidding for a new DoD contract, you need a CMMC certification. The DoD only requires self-affirming Level I and II certifications for the next 12 months, but requirements change after that. If your organization falls into the Level II category, you may need a CMMC audit starting in December 2025. The full cusp of the CMMC program begins in December 2026, including the government-led Level III assessments.
The Levels of CMMC Maturity
Any business or contractor with access to FCI or CUI must get a CMMC certification. But what are the differences between each level? Here’s a look at how they differ.
Level I CMMC Certification
A vendor or contractor that handles only FCI might need a Level I CMMC certification. FCI includes information that’s created or received from the federal government that isn’t meant for public release. In other words, you won’t find it on a .gov website anywhere.
FCI can include information about the government’s staff, technology devices and systems, facilities or external service providers. An example of FCI might be the layout of a military base and its buildings. That information probably isn’t available online, but a contracted vendor hired for janitorial work might know those details and require a Level I CMMC certification.
A Level I CMMC certification is the easiest to get since it doesn’t require a third-party audit. The vendor simply reviews 15 different controls and affirms it meets the basic safeguarding requirements for the certification.
Level II CMMC Certification
The next-highest CMMC certification is Level II. Vendors that handle both CUI and FCI may fall under this category, depending on the sensitivity of the information they handle.
A Level II CMMC certification may involve self-affirmation or a third-party audit. In a self-affirmation, the vendor confirms its adherence to 110 different data-handling best practices. Those criteria align with NIST SP 800-171, which poses recommendations to protect CUI.
Vendors requiring Level II CMMC with a third-party audit abide by the same 110 data-handling standards. But instead of affirming their compliance, a government-approved third-party auditor assesses the contractor’s ability to satisfy the criteria.
Level III CMMC Certification
Only organizations that face ongoing security threats and regularly handle CUI and FCI require the Level III CMMC certification. These vendors work with highly sensitive information that impacts critical defense programs. A hack or data breach against the vendor might have serious repercussions for U.S. national security and that of its allies.
Vendors can obtain a Level III CMMC certification by meeting all 110 security controls that are part of NIST SP 800-171, plus those of NIST SP 800-172. There is no self-affirmation option or third-party audit. Instead, the government itself reviews the contractor’s security methods and decides whether to approve the certification.
The government defines CMMC certification levels in its external contracts. You won’t know exactly which certification you need until you apply for an available contract. But you may be able to make a realistic guess based on the services or products your organization provides.
How Do You Get CMMC-Certified?
Obtaining a CMMC certification is a major win. It can open your business up to profitable defense contracts it might not otherwise be in the running for. But getting a valid certification isn’t easy, especially for vendors that require the third-party or governmental audit under Level II or III CMMC.
Here are the steps to take to realize your CMMC certification.
1. Review the CMMC Compliance Requirements
You are now familiar with the baseline requirements of CMMC certification outlined above. But each CMMC level requires adherence to specific standards. Fortunately, the government makes this relatively easy to understand through its Scoping and Assessment guides, which are available through the DoD Chief Information Officer website.
The Scoping guides outline the different FCI and CUI assets that fall under each level’s category. They provide examples of assets that may require a specific level of CMMC certification. For instance, software that stores or processes CUI falls under Level II security requirements. Similar software storing highly sensitive CUI may be a Level III concern.
Assessment guides provide the specific security controls the DoD wants its vendors to meet based on the sensitivity of data handled. The number of security controls varies depending on the Level of CMMC certification. For Level I, there are 15 criteria, but Level III certification requires adherence to many more.
2. Determine Your Desired Maturity Level
There’s no reason to aim for a higher-level CMMC certification than necessary. The extra compliance requirements can be quite costly and time-consuming. So, in this stage, you want to figure out the types of contracts you plan on bidding for and whether they involve handling FCI and CUI. Remember, you only need a Level II or III certification if you handle or process CUI. If your business is FCI only, you can get by with a Level I self-affirmation.
3. Do a Pre-Assessment With a Recruitment Process Outsourcer (RPO) or Certified Third-Party Assessment Organization (C3PAO)
You’re not required to do a pre-assessment, but it can help you identify any deficiencies before you go for the full certification. Onspring’s CMMC assessment software can show you where you stand in the certification process. Our system identifies all the documents and objectives you need to achieve based on your desired CMMC certification level. It can also pinpoint certification deficiencies so you can fix them before bidding on a new defense contract.
4. Locate a C3PAO for an Assessment
The CMMC Marketplace can connect you with DoD-approved C3PAOs that perform assessments. When you think your company is ready to get its certification, use the site to locate an eligible C3PAO to perform the testing. Your C3PAO will do the assessment based on your desired certification level.
Once you initiate a formal assessment, there’s no turning back. That’s why it’s important to self-assess first. You don’t want to risk any compliance issues that put your certification plans on hold. While you may have a chance to correct any deficiencies, taking care of them before the audit can save you time and money.
5. Fix Any Deficiencies
If your C3PAO uncovers any shortfalls in your security protocols, you have a short time to fix them — usually up to 180 days. It doesn’t even have to be a deficiency. The C3PAO may request additional supporting evidence to review, which you need to supply before it can provide its final decision.
6. Receive Your Certification
Assuming all goes well, you’ll earn your CMMC certification. That certification gives you the qualifications you need to bid on DoD government contracts.
Level II and III certifications last for three years. At the end of that period, you undergo another assessment to retain your CMMC.
7. Annually Affirm Compliance With CMMC Requirements
Your responsibilities don’t end with an approved CMMC certification. The DoD requires contractors to annually confirm their security practices line up with expectations. You’ll self-affirm each year until your CMMC certification comes up for renewal. Then its time to repeat the full assessment with a C3PAO.
Get a Head Start on CMMC Compliance
A CMMC certification opens the door to defense contracts your company may not otherwise be eligible for. While the process isn’t easy (especially if you’re going for a Level III certification), you can prepare ahead of time through Onspring. Schedule a demo with our team to learn about our CMMC assessment software created especially for DoD contractors.