
Who Needs to Be CMMC Compliant?
Since the release of Cybersecurity Maturity Model Certification (CMMC) 2.0 program, many business professionals have realized their compliance efforts and day-to-day will need to change. Others may still feel unclear about whether it affects their compliance requirements. Here’s how businesses can assess what changes they will need to implement in order to become compliant.
Why do contractors need to follow CMMC?
CMMC 2.0 is a program developed by the U.S. Department of Defense (DoD) to establish and enforce security requirements for its Defense Industrial Base (DIB) vendors and contractors. Since these companies deal with highly sensitive information and are often victims of cyberattacks, the government decided enforcing standards is necessary.
Companies working in the DIB supply chain regularly handle federal contract information (FCI) and controlled unclassified information (CUI)—types of data organizations collect, generate, send, or receive while developing or delivering their product or service to fulfill their contractual obligations—making them the target of increasingly sophisticated and frequent cyberattacks.
In light of rising cyber threats, the DoD needed to update and simplify CMMC 1.0. After years of development, it released its proposed regulations for 2.0 in December 2023. It worked with the National Institute of Standards and Technology (NIST) to select robust security standards for its contractors to follow.
What are the CMMC 2.0 certification levels?
What is the difference between CMMC 1.0 and 2.0? The DoD has overhauled all requirements, assessments, and reporting processes. It even simplified the level system. Here is an overview of the revisited framework at a glance.
Level one
CMMC 2.0 level one is foundational, ensuring vendors possess the basic cyber hygiene needed to handle potentially sensitive information. To maintain their certification, they must meet at least 15 requirements and complete self-assessments annually.
Unlike the other levels, which have point systems, level one vendors receive a straightforward pass/fail "grade." A senior employee from the prime contractor must electronically submit that grade to the DoD’s Supplier Performance Risk System (SPRS).
Level two
CMMC 2.0 level two—similar to CMMC 1.0’s level three—is advanced, meaning companies must have high-level cyber hygiene and adhere to more rules. They must meet 110 requirements aligned with NIST SP 800-171 and complete third-party assessments three times a year.
Companies can pass an assessment with a score of 90% as long as they’ve met all required items. If not, they must have Plans of Action and Milestones (POA&M), which they need to meet within 180 days to keep their status.
Level three
CMMC 2.0 level three—similar to CMMC 1.0’s level five—is expert. Contractors must meet over 110 requirements based on NIST SP 800-171 and 800-172. Additionally, they must submit to government-led triannual assessments and reporting.
Entities are allowed to have a POA&M if they initially fail to meet select requirements during their assessment. Similarly to level two, they must be closed out within 180 days to maintain their certification.
Which companies need to be CMMC certified?
Companies must be CMMC-certified before entering into a contractual agreement with the DoD. Even if companies don’t deal with the government agency or its data directly, any system that interacts with CUI data is subject to CMMC controls—meaning they must receive certification even if they’re only tangentially involved.
- Does CMMC apply to subcontractors? Yes, they must become certified if they handle FCI or CUI. They share their prime contractor’s level, so they have the same requirements and must follow the same assessment and affirmation processes. Notably, while CMMC was technically developed for the DIB supply chain, any vendor wanting to do business with the government should consider certification to grant themselves a competitive advantage and increase their chances of success.
- When can contractors self-certify? Only level one—those dealing with FCI—allows for self-certification. In these cases, a senior employee must substantiate their compliance with security requirements by submitting their results to the Supplier Performance Risk System.
- What level of CMMC 2.0 do contractors need? If contractors only handle FCI, level one will suffice. If they deal with CUI, they will likely be at level two; they will require level three certification if they handle CUI and are subject to advanced, persistent threats. That said, the DoD ultimately determines specifics depending on the data’s scope and sensitivity.
CMMC certification isn’t a one-step procedure—it’s an ongoing process. Companies must remain compliant throughout their contract or risk losing it. Various assessments and affirmations guarantee the DoD will swiftly discover noncompliance.
When will CMMC 2.0 be required for DoD contracts?
CMMC 2.0 will become a contractual requirement when the DoD finalizes rulemaking and fully implements the program. Since that could take up to two years, CMMC 2.0 could be required as early as this year or as late as the beginning of 2026. Regardless of when it becomes official, decision-makers shouldn’t wait to adopt the new standards.
What CMMC compliance means for your business
To comply with CMMC, companies must ensure they deploy and maintain proper safeguards. Robust authorization, encryption, and auditing tools are necessary—as is extensive recordkeeping—regardless of their level. Also, companies must monitor, analyze, investigate, and report suspicious, unauthorized, or illegal activity as early as possible.
Entities have other impacts to consider beyond improving security controls to bring themselves in line with 2.0, one of the most significant being expenses. Fortunately, the DoD seems confident that 2.0 assessment costs will be comparatively lower than CMMC 1.0 since it is simplifying requirements, allowing for self-assessments, and improving third-party oversight.
In addition to assessments, firms must affirm their ongoing compliance with security requirements. A senior employee from the prime contractor—or subcontractor, if applicable—must do so annually or after every assessment, depending on their level. A DoD assessor conducts the evaluation for level three organizations and submits the results.
Tips to help your business become CMMC-compliant
Businesses wanting to become CMMC compliant to work with the DoD or in the DIB supply chain should follow these tips to improve their certification chances:
Stay up-to-date with changes
While CMMC changes have taken years, there’s a strong likelihood the DoD may adjust requirements, rules, or timelines after the 2.0 proposal’s release as it finds practical issues. Decision-makers should stay up to date with any changes or official posts to ensure their security posture aligns with the latest requirements.
Do more than the bare minimum
Many contractors may have to overhaul their security posture and adopt new tools, techniques, and talent to maintain compliance. Going beyond the bare minimum requirements could save costs and reduce friction in the long term, as well as make a company competitive.
Be prepared for when the rulemaking finalizes
Since CMMC 2.0 will become official as soon as rulemaking is finalized—which could be as early as 2024—firms should accelerate their preparations to ensure they can get DoD contracts and maintain compliance during assessments.