What Is the Cybersecurity Maturity Model Certification (CMMC)?

In this article, we'll discuss the intricacies of Cybersecurity Maturity Model Certification (CMMC), from understanding its importance to navigating the certification process. If you're a defense contractor trying to win more contracts and secure your supply chain, this guide is your roadmap to CMMC success.

The Cybersecurity Maturity Model Certification (CMMC) program is designed to align with the Department of Defense's (DoD) information security requirements for Defense Industrial Base (DIB) partners. Its goal is to protect sensitive, unclassified information (either FCI or CUI) shared by the Department with its contractors and subcontractors.

Getting Started with CMMC

The Cybersecurity Maturity Model Certification, or CMMC, is a framework developed by the United States Department of Defense (DoD).

In the early 2010s, cyberattacks against DoD contractors surged. This highlighted the need for stricter cybersecurity measures.

In response, the DoD implemented a clause known as DFARS 252.24-7012, requiring DoD contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to comply with NIST SP 800-171 security controls. However, it relied on self-attestation instead of third-party audits and verification, which wasn't fully effective.

To address these shortcomings, the CMMC program was developed.

The Cybersecurity Maturity Model Certification (CMMC) is not a cybersecurity framework. CMMC certifies that manufacturers comply with the NIST 800-171 cybersecurity framework.  Unlike previous security measures, CMMC doesn't allow organizations to self-assess their compliance with Department of Defense (DoD) security requirements. Instead, it mandates independent third-party assessments.

These assessments are conducted by certified CMMC Third Party Assessment Organizations (C3PAOs). These organizations are trained and accredited by the Cyber Accreditation Board, the official accreditation body of CMMC. This shift from self-assessment to third-party evaluation is a significant departure from previous practices.

CMMC is not just about checking off a list of security measures. It's about embodying security in every aspect of an organization's operations. It's about achieving a certain level of cybersecurity maturity, which is reflected in the organization's ability to protect sensitive information and respond to cyber threats proactively.

CMMC is a unifying standard and a new certification model that ensures these DoD contractors properly protect sensitive information. It's not just a set of guidelines or best practices; it's a requirement for any business that wants to work with the Department of Defense (DoD).

Why is CMMC Important?

The CMMC's primary goal is to prevent defense contractors from a data breach, which could lead to sensitive defense data being leaked to U.S. adversaries. Some historical breaches include:

  • The 2018 Sea Dragon hack saw the theft of communications and cryptography data from the U.S. submarine fleet - a serious risk to national security. 
  • In 2021, USAID contract Chemonics suffered a hack that leaked sensitive information related to employees. 
  • That same year, Miracle Systems, an IT contractor for over 20 federal agencies, was breached at a cost of $500,000 to $1,000,000. The stolen data was advertised on the Dark Web.
  • In February 2024, IT contractor CGI Federal reported a breach of US government data related to software vulnerabilities.

But CMMC isn't just about protecting DoD information. By requiring contractors to implement cybersecurity best practices, CMMC helps to raise the overall cybersecurity posture of businesses across the DIB. This can benefit all organizations, not just those that work with the DoD.

Who Needs CMMC Certification?

The CMMC certification is a requirement for all companies in the DoD supply chain, including defense contractors, subcontractors, and suppliers who require Level 2 certification (those who handle Controlled Unclassified Information (CUI)). The certification is designed to ensure that these entities have the necessary cybersecurity controls in place to protect sensitive defense information.

The certification process involves a CMMC assessment, which verifies the implementation of a set of processes and practices. This is to ensure a secure foundation for the defense supply chain.

What Are The Different Levels?

The CMMC 2.0 model has streamlined the maturity levels, moving away from the five-level system in CMMC 1.0. There are now three primary levels within CMMC 2.0:

  • Level 1 - Foundational: This level focuses on the implementation of basic cyber hygiene practices to protect Federal Contract Information (FCI).
  • Level 2 - Advanced: This level builds upon the Foundational level by requiring a more comprehensive and formalized cybersecurity program. It emphasizes risk management and the ability to detect and respond to various cyber threats. This level focuses on the implementation of cyber hygiene practices to protect Controlled Unclassified Information (CUI).
  • Level 3 - Expert: This is the highest level in CMMC 2.0. It demands a sophisticated and proactive cybersecurity posture, including measures to defend against advanced persistent threats (APTs).

This revised section reflects the changes introduced in CMMC 2.0 and avoids referencing the outdated five-level structure.

Level 1 vs Level 2 Compliance

  • Level 1: If you only receive FCI and no CUI, then you are only required to be CMMC Level 1 compliant.
  • Level 2:  If you receive CUI then you are required to be CMMC Level 2 certified.

What is the difference between FCI and CUI?

CMMC applies to two main categories of data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While both require protection, understanding the differences is crucial for CMMC compliance.

FCI (Federal Contract Information)

FCI refers to information not intended for public release that is provided by or generated for the government under a contract. This can include technical data, cost proposals, and project plans.

All federal contracts with the DoD will include FCI.  FCI data is less sensitive than CUI. The leakage of FCI could be embarrassing or cause financial loss, but it wouldn't necessarily endanger national security. CMMC requires a minimum level of cybersecurity controls to protect FCI. The specific level depends on the type of contract and the sensitivity of the information.

CUI (Controlled Unclassified Information)

CUI refers to government information that requires safeguarding but is not classified. It covers a broad range of categories, including critical infrastructure data, financial information, and personal identifiable information (PII).

CUI data is more sensitive than FCI. If CUI data is leaked, it could have a significant impact on national security or public safety. CMMC requires a higher level of cybersecurity controls to protect CUI compared to FCI. This may involve more stringent access controls, data encryption, and incident response procedures.

How do I know if I receive CUI:  If you have the clause DFARS 252.204-7012 in your contract, you handle CUI.  

What's Different About CMMC 2.0 vs CMMC 1.0?

CMMC 2.0 is the latest version of the Cybersecurity Maturity Model Certification program, launched by the U.S. Department of Defense (DoD). It's designed to be an improvement over the original CMMC by streamlining the requirements and making it easier for contractors to comply. Here's a breakdown of the key features of CMMC 2.0:

  • Streamlined Levels: CMMC 2.0 reduces the number of cybersecurity maturity levels from five to three. This makes the program simpler for contractors to understand and implement.
  • Focus on NIST Standards: The requirements at each CMMC 2.0 level are aligned with well-established National Institute of Standards and Technology (NIST) cybersecurity standards. This should make compliance easier for organizations that are already familiar with these standards.
  • Self-assessment Option: For some CMMC 2.0 requirements, contractors may be able to conduct a self-assessment to demonstrate compliance. This can help to reduce the cost and time associated with obtaining certification.
  • Prioritized Approach: CMMC 2.0 focuses on protecting the most critical information first. This takes into account the different levels of risk associated with various types of DoD data.

Steps for  CMMC Compliance

There are five steps in preparing for the CMMC certification. 

  • Identify the CMMC Level: Understand the level of CMMC certification your organization needs according to the contract requirement. Again, if you handle FCI only and no CUI, then you require Level 1 certification.  If you handle any CUI, you require Level 2 certification. 
  • Perform a Gap Analysis:  A gap analysis identifies areas where your current practices fall short of the standards needed to achieve a specific CMMC level.  Oftentimes a self-assessment score is generated that you will submit to the DoD’s Supplier Performance Risk System (SPRS).
  • Create your Security System Plan (SSP):  An SSP serves as a roadmap for protecting sensitive data and ensuring the system functions securely. It is a foundational and living document that lays out how the company is complying with CMMC policies and controls today.
  • Create your Plan of Action and Milestones (POAM): A POAM is a roadmap for addressing cybersecurity weaknesses in an organization's systems.  It is a project plan that includes estimated dates for completion.
  • Submit your self-assessment score to the Supplier Performance Risk System: The self-assessment score generated during the gap analysis process, along with your POAM, will be submitted to the DoD’s SPRS website to generate your SPRS score.  An SPRS score measures the risk of a contractor's cybersecurity position in protecting sensitive DoD information (CDI/CUI), and is a requirement for all DoD contracts under the Interim Rule. 
  • Mitigate the gaps identified in the gap analysis according to the POAM: This is the step where you fix all the gaps identified in the gap analysis.  You, most often with guidance from a cybersecurity MSSP such as Site2, will be fixing any issues - implementing controls, creating any policy documents, etc. The time required can be anywhere from a couple of months up to 9 months or a year, depending on the starting point of the company and the appetite and urgency for getting it done.
  • Find a C3PAO: Locate a managed service provider, known as a C3PAO, capable of conducting a CMMC audit. They will assess your current security measures and identify areas for improvement.

The CMMC is not just a one-time certification. It's a continuous process that requires regular assessments to ensure ongoing compliance. This is where third parties come into play. They are responsible for conducting these assessments and verifying that the suppliers are meeting the necessary standards.

The Importance of Understanding and Achieving CMMC

Understanding and achieving the Cybersecurity Maturity Model Certification (CMMC) is crucial for organizations that aim to work with the Department of Defense. It's not just about compliance, but also about ensuring the security of sensitive information.

The CMMC framework provides a clear path to enhance your cybersecurity maturity. With the help of third-party assessors and security experts, you can identify gaps in your information security standards and take the necessary steps to achieve CMMC compliance.

Remember, the journey to CMMC compliance is a continuous process of improvement. It's about maintaining a proactive approach to cybersecurity, staying updated with new CMMC information, and constantly striving to meet the evolving security requirements.

In the end, achieving CMMC is not just about securing a contract with the DoD, but also about safeguarding your organization's reputation and trust in the digital world.

The process can be tricky - especially if you are low on IT resources - but Site2 can help. We can help you simplify the entire process of CMMC compliance.