The CMMC Key to Unlocking DoD Opportunity

CMMC Knowledge Hub

Is your organization secure enough to do business with the U.S. Department of Defense?

Proving that your organization is secure enough to do business with the U.S. Department of Defense (DoD) has taken a big leap forward with the arrival of the Cybersecurity Maturity Model Certification (CMMC). Get it right, and you successfully set the stage to compete for DoD contracts, listed at over $700 billion in 2022. Ignore it—or fail to achieve the certification level your business needs—and you’ve just slammed the doors of working with the DoD shut.

Achieving CMMC compliance is a complex, multidimensional process, but if you work in the so-called “defense industrial base” that contracts with the DoD—or plans to—you’re going to have to work with it. So, here’s a quick lowdown on the CMMC 2.0 credential and the essential facts on why it should be central to your cybersecurity planning.

Here’s what we’re going to cover in the next few minutes:

What is CMMC and Why Do We Need It?

Corporate data breaches have become a regular occurrence in the day-to-day activities of modern businesses, so common and widespread that many of us pay little attention even when we’re told our information was among that of the thousands or millions of people affected. In fact, the larger the breach—like the 2021 SolarWinds breach that affected 100 companies and 12 government agencies, including all five branches of the U.S. military, when 18,000 users were compromised by downloading a code that contained a virus—the more impersonal and abstract the danger feels. This is exactly why the CMMC is so important for government certification.

But the U.S. Department of Defense can’t take a casual posture toward digital breaches. To the DoD and its contractors, security breaches can be lethal, potentially both endangering military personnel and threatening national security and the stability of democratic allies throughout the world. With the threat of Nation States deploying advanced cyberattacks ever present, the DoD developed the Cybersecurity Maturity Model Certification to provide a standardized way to assess, improve, and certify the cybersecurity of both prime contractors and subcontractors in the department’s massive supply chain. In presenting this security roadmap to government contractors, the DoD hopes to install security safeguards to prevent another SolarWinds situation.

Don’t forget to check out other aspects of CMMC in the rest of our Knowledge Hub series articles:

CMMC Knowledge Hub

The DoD released version 1 of the CMMC model on Jan 31, 2020 as part of the Defense Federal Acquisition Regulation Supplement (DFARS). Experts in CMMC say it’s built on, and closely aligns with, an earlier security standard from the National Institute of Standards and Technology’s (NIST) Special Publication, NIST SP 800-171. Longtime contractors familiar with the earlier standard know it as the requirements that any non-Federal computer system must follow to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

But in 2021, the DoD released an updated version of the certification to simplify the process to achieve CMMC, reduce costs, build trust, and clarify requirements that better align to other federal requirements and other commonly accepted standards.

The CMMC brings a jumble of acronyms and numbers that may sound complicated. That’s because it is complicated. What’s important to remember is that being part of this buzzwordy endeavor not only helps protect DoD data and assets but can make your own organization more secure in the process—regardless of who you’re doing business with.

What are the CMMC Certification Levels?

If you plan to do business and bid on contracts with the DoD (or work with an organization that does), you’re going to need some level of CMMC certification. And considering the many ways CMMC requires security to be woven into your company’s culture, practices, and technical infrastructure, the time to start preparing is now.

Below is an overview of each level of CMMC 2.0, but for more information and details on the requirements, we recommend reading Understanding and Leveling Up Your CMMC Maturity.

Level Model Assessment
Level 1 – Foundational 15 practices Annual self-assessment and annual affirmation
Level 2 – Advanced 110 practices aligned with NIST SP 800-171 Triennial third-party assessments for critical national security information
Triennial self-assessments for select programs
Level 3 – Expert 110+ practices based on NIST SP 800-171 and 800-172 Triennial government-led assessments

The level your organization needs to achieve depends on the sensitivity of information associated with products or projects you plan to bid on and will presumably be listed when a contract goes up for bid. While prime contractors may be required to achieve Level 3, subcontractors may simply need to get Level 1, or “Foundational.”

And the model is cumulative: Each level you go up includes and builds on what’s required—and achieved—at the previous level.

How Do I Get CMMC Certified?

Achieving certification depends mainly on one thing: your use of critical national security information.

The type of information your organization uses for business processes—and what information your contractors and subcontractors use—will determine which level and type of assessment is required for certification. Those using critical national security information will require a Level 2 or 3 third-party or government-led assessment. Organizations not using critical information will just need a self-assessment completed in Level 1 in order to do business with the DoD.

The specific requirements for each level are as follows…

As you start to use that critical information, you’ll likely need a third-party assessment to achieve higher levels of certification and maturity.

How Do NIST and POA&Ms Come into Play?

Prior security standards from NIST were self-attested, meaning you could simply say you were compliant and be compliant. With CMMC 2.0, each level’s requirements are now compliant with NIST and other cybersecurity standards used in the industry.

CMMC shifts the burden of proving cybersecurity compliance from self-assessment to external assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs).

Self-assessments should be conducted prior to working with C3PAOs, as these evaluations could yield findings that require you to develop a POAM, or Plan of Action and Milestones. This document details the specific measures your company will take to correct deficiencies found during a security control assessment, including tasks and the resources required to make the plan work.

In this new version of CMMC, the Department of Defense has allowed organizations to draft POAMs in place of certain CMMC requirements. However, in order to achieve this, organizations must comply with certain requirements prior to drafting POAMs that meet the remaining requirements in a specified timeline.

A POAM can be valuable for driving your team’s preparation toward higher levels of cybersecurity maturity. But before you’re ready for evaluation, there’s documentation to complete, technology to deploy, processes and capabilities and controls to put in place, acronyms to make sense of . . . Deep breath. You can do this. And we can help.

Will CMMC Rock Society to Its Core?

Let’s be honest: It won’t. But successful use of the certification can help protect the cybersecurity of the U.S. defense establishment and all the soldiers, citizens, industries, and allies who depend on secure information. So maybe not rocking society to its core is the true measure of success in this case.

But here’s the thing: If you don’t get a handle on CMMC, it could shake your own world by locking your business out of DoD bids. This means you’re handing opportunities to competitors who’ve got something you don’t.

And remember, a CMMC certificate will be valid for three years. So, depending on how well your bidding goes for DoD contracts—and your company’s vision for the future—you may very well spend those three preparing for the next assessment.

Ready for more? Read the next article in our CMMC series, “Charting Your Cybersecurity Maturity Model Certification Path.”

Let's demo

Opportunity is knocking

See what Onspring can do for your CMMC certification plans.
Let's demo