Table of Contents
Who needs to comply with CMMC?
When will the CMMC rulemaking be finalized?
What happens if I don't comply with CMMC?
How can I get CMMC certified?
How Isora GRC from SaltyCloud can help
The Cybersecurity Maturity Model Certification (CMMC) represents the Department of Defense’s (DoD) strategic response to the escalating frequency and sophistication of cyberattacks, safeguarding American innovation and national security information. Designed as a comprehensive framework, the CMMC aims to enhance the cyber-readiness of the vast network of contractors and subcontractors within the Defense Industrial Base (DIB). This initiative is crucial in ensuring that entities dealing with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) maintain robust cybersecurity standards.
In light of the recent December 2023 release of the proposed rule, the anticipated implementation of the CMMC program is now projected for early 2025. This revised timeline offers organizations additional preparation time to align with the upcoming requirements. However, given the complexity and breadth of the CMMC framework, beginning the compliance journey sooner rather than later is advisable for all entities in the DIB.
The anticipated implementation of the CMMC program is now projected for early 2025
This complete guide provides a thorough overview of the CMMC, delving into its structure, specific requirements, and the certification process. It is designed to equip defense contractors with the essential knowledge and insights needed to navigate the CMMC landscape effectively and to prepare for compliance in anticipation of the 2025 implementation.
What is CMMC?
At its foundation, three guiding principles define cybersecurity maturity model certification compliance:
- To protect sensitive unclassified information and defense information from cyber threats, cyberattacks, and nation-state actors;
- To create a unified cybersecurity standard for contractors; and
- To ensure accountability for defense companies responsible for protecting government data.
What are the 3 Levels of CMMC 2.0?
The most recent version of the CMMC framework consists of three progressively advanced levels: (1) Foundational, (2) Advanced, and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified triennially via a third-party or government-led assessment.
Each CMMC level requires contractors to adhere to a set of security controls and prove compliance.
In limited cases, the Department of Defense will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all requirements. The DoD has yet to release full details regarding POAMs and waivers.
CMMC Level 1: Foundational
Contractors who handle FCI will be required to meet Level 1 CMMC compliance. These contractors will need to align with 17 basic cyber hygiene practices. These controls can be found in the Federal Acquisition Regulation (FAR) 52.204.21 and are further defined in NIST SP 800-171.
Contractors who handle FCI will be required to meet Level 1 CMMC compliance.
Because FCI is not sensitive information, the Department of Defense will allow Level 1 contractors to assess their cybersecurity. It will require them to submit scores and other documentation to the Supplier Performance Risk Systems (SPRS) yearly. Level 1 compliance does not require third-party or government-led assessments.
CMMC Level 2: Advanced
Contractors who handle CUI will be required to meet Level 2 CMMC compliance. These contractors must align with the initial 17 practices from Level 1 and an additional 93 practices in NIST 800-171. As with Level 1 compliance, the DoD will require these contractors to assess their cybersecurity yearly and submit scores and other documentation to the SPRS.
Contractors who handle CUI will be required to meet Level 2 CMMC compliance.
For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years.
The Cyber Accreditation Body (AB), the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime, released the CMMC Assessment Process (CAP), which provides helpful guidance for contractors that are beginning to prepare for their CMMC Level 2 assessment.
CMMC Level 3: Expert
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance. These contractors need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172.
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance.
Unlike Level 1 and Level 2 compliance, the DoD will require contractors at this maturity level to be certified via a government-led assessment. As of February 2023, the DoD has yet to release further details on the complete enhanced security requirements for this level.
Who needs to comply with CMMC?.
Although many contractors are not yet required to obtain CMMC assessments, they are required to follow cybersecurity standards. When the rulemaking is final, all contractors and subcontractors in the DIB must comply with the CMMC program at the level designated in their contract. This includes:
- Prime contractors
- Any suppliers within the DoD supply chain
CMMC requirements will affect over 300,000 organizations.
According to the DoD, forthcoming CMMC requirements stand to affect over 300,000 organizations. In the meantime, contractors must comply with the Interim DFARS Rule, which requires a NIST SP 800-171 Basic Assessment.
Who manages subcontractor CMMC compliance?
Prime contractors who work with subcontractors will need to manage their subcontractor supply chain network and keep track of data flow. If a prime contractor shares or discloses CUI, the subcontractor must be Level 2 CMMC compliant. If the prime contractor shares or discloses FCI, the subcontractor must be Level 1 CMMC compliant.
There are no subcontractor compliance requirements if the prime contractor does not share or disclose CUI or FCI. Prime contractors will require a CMMC subcontractor risk management platform to ensure compliance.
When will the CMMC rule-making be finalized?
The path to finalizing the CMMC has been more prolonged and complex than initially anticipated. While the original projections by the Pentagon in 2019 suggested the start of certifying Department of Defense (DoD) contractors as early as 2020, the actual progress has seen significant delays.
Contrary to earlier expectations that the final rule would take effect in May 2023, the reality has shifted. The DoD only released the proposed rule in December 2023. This delay indicates a more extended timeline for the CMMC implementation than previously thought.
Currently, the period for submitting comments on the proposed rule is open until February 26, suggesting that the regulatory process is still in a stage of gathering and considering stakeholder feedback. This essential phase of rulemaking typically precedes the finalization of any new regulation.
The final rule for the CMMC might not be effective until early 2025
Given these developments, it’s reasonable to project that the final rule for the CMMC might not be effective until early 2025. This adjusted timeline means that contractors have additional time to prepare for compliance, but it also implies that they need to stay informed and adaptable to upcoming changes.
What happens if I don’t comply with CMMC?
Once the notice of proposed rulemaking is published, the program’s requirements will likely take place as part of a phased rollout. Any contractors that don’t comply with the CMMC framework will lose any existing DoD contracts, won’t be able to bid for any new contracts, and won’t be able to get a contract award until they can demonstrate compliance with the required level in the contract. More details on implementation will be available following the forthcoming rulemaking.
CMMC compliance readiness will be a critical differentiator once the rules take effect.
Recent reports indicate that many contractors aren’t following the required NIST cybersecurity controls, so CMMC compliance readiness will be a critical differentiator once the rules take effect.
The Department of Justice (DOJ) has also launched the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. That means contractors who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches will be held accountable.
How can I get CMMC certified?
As the proposed rulemaking date nears, preparation and confidence are essential for success. Contractors with the necessary IT staff and CMMC resources may opt to prepare in-house. To do so, contractors must scope their organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence.
An automated assessment and evidence-collection platform will be necessary.
In most cases, having an automated assessment and evidence-collection platform will be helpful–if not necessary–for this process. Once contractors are confident in their compliance status, they can hire a C3PAO to conduct a certification assessment.
Contractors can expect a C3PAO assessment to consist of the following four phases:
- Phase 1: This phase starts with pre-assessment planning and includes gathering initial scope information, completing the artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan, and conducting a readiness review.
- Phase 2: In this phase, the C3PAO conducts the CMMC Assessment, which begins with an opening meeting between your organization and the assessment team. Next is the analysis and review of objective evidence related to the CMMC processes and practices, a discussion of any preliminary findings, and the final output. Again, having an automated assessment and evidence-collection platform that the C3PAO can tap into will make this phase much more manageable.
- Phase 3: This phase covers post-assessment reporting. Assessors gather results and send them with recommendations to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies a level recommendation.
- Phase 4: This phase may require remediation if the assessment identifies that a company falls a few practices short of the target CMMC performance level. The C3PAO will forward the remediation request to CMMC-AB for approval. If approved, contractors will have 90 days to address any shortfalls in performance.
How Isora GRC from SaltyCloud can help
The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in early 2025.
Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and automated solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora empowers Information Security & Assurance teams to create a collaborative workspace where their Information Security Risk Management program can thrive.
By centering GRC around people, Isora not only facilitates risk reduction and regulatory compliance but also promotes program adoption, participation, and, most significantly, a risk-aware culture.
- Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
- Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
- Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
- Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.