Articles
Article

Everything about the CMMC, 2024 Complete Guide

SaltyCloud Research Team

Published on April 17, 2023  •  Read Time

Table of Contents

The Cybersecurity Maturity Model Certification (CMMC) represents the Department of Defense’s (DoD) strategic response to the escalating frequency and sophistication of cyberattacks, safeguarding American innovation and national security information. Designed as a comprehensive framework, the CMMC aims to enhance the cyber-readiness of the vast network of contractors and subcontractors within the Defense Industrial Base (DIB). This initiative is crucial in ensuring that entities dealing with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) maintain robust cybersecurity standards.

In light of the recent December 2023 release of the proposed rule, the anticipated implementation of the CMMC program is now projected for early 2025. This revised timeline offers organizations additional preparation time to align with the upcoming requirements. However, given the complexity and breadth of the CMMC framework, beginning the compliance journey sooner rather than later is advisable for all entities in the DIB.

The anticipated implementation of the CMMC program is now projected for early 2025

This complete guide provides a thorough overview of the CMMC, delving into its structure, specific requirements, and the certification process. It is designed to equip defense contractors with the essential knowledge and insights needed to navigate the CMMC landscape effectively and to prepare for compliance in anticipation of the 2025 implementation.

What is CMMC?

At its foundation, three guiding principles define cybersecurity maturity model certification compliance:

  • To protect sensitive unclassified information and defense information from cyber threats, cyberattacks, and nation-state actors;
  • To create a unified cybersecurity standard for contractors; and
  • To ensure accountability for defense companies responsible for protecting government data.

What are the 3 Levels of CMMC 2.0?

The most recent version of the CMMC framework consists of three progressively advanced levels: (1) Foundational, (2) Advanced, and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified triennially via a third-party or government-led assessment.

Each CMMC level requires contractors to adhere to a set of security controls and prove compliance.

In limited cases, the Department of Defense will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all requirements. The DoD has yet to release full details regarding POAMs and waivers.

CMMC Level 1: Foundational

Contractors who handle FCI will be required to meet Level 1 CMMC compliance. These contractors will need to align with 17 basic cyber hygiene practices. These controls can be found in the Federal Acquisition Regulation (FAR) 52.204.21 and are further defined in NIST SP 800-171

Contractors who handle FCI will be required to meet Level 1 CMMC compliance. 

Because FCI is not sensitive information, the Department of Defense will allow Level 1 contractors to assess their cybersecurity. It will require them to submit scores and other documentation to the Supplier Performance Risk Systems (SPRS) yearly. Level 1 compliance does not require third-party or government-led assessments.

CMMC Level 2: Advanced

Contractors who handle CUI will be required to meet Level 2 CMMC compliance. These contractors must align with the initial 17 practices from Level 1 and an additional 93 practices in NIST 800-171. As with Level 1 compliance, the DoD will require these contractors to assess their cybersecurity yearly and submit scores and other documentation to the SPRS. 

Contractors who handle CUI will be required to meet Level 2 CMMC compliance.

For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years. 

The Cyber Accreditation Body (AB), the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime, released the CMMC Assessment Process (CAP), which provides helpful guidance for contractors that are beginning to prepare for their CMMC Level 2 assessment.

CMMC Level 3: Expert

Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance. These contractors need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172

Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance. 

Unlike Level 1 and Level 2 compliance, the DoD will require contractors at this maturity level to be certified via a government-led assessment. As of February 2023, the DoD has yet to release further details on the complete enhanced security requirements for this level.

CMMC timeline

In 2015, the Department of Defense (DoD) initiated the Defense Federal Acquisition Regulation Supplement (DFARS), setting cybersecurity and information security requirements for defense industrial base contractors and subcontractors. This included adherence to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171.

Facing escalating cyber threats and lagging adoption by the defense industrial base, the DoD launched the CMMC 1.0 in 2019. This version emphasized a third-party certification process and introduced the DFARS Interim Rule, mandating NIST 800-171 compliance ahead of full CMMC certification.

The shift to CMMC 2.0 occurred in 2021, prompted by substantial feedback and confusion surrounding the initial version. Key changes in CMMC 2.0 focused on simplifying the program and reducing its scope for easier adoption and clearer understanding.

By 2023, the DoD had yet to finalize the CMMC 2.0 rulemaking process, with a proposed rule announced in May 2023. Anticipations were set for CMMC assessments to potentially appear in contracts as early as 2024.

The landscape took a significant turn on December 26, 2023, when the DoD issued the proposed rule for the CMMC program. Under the new structure, the CMMC encompasses three levels of increasing cybersecurity requirements. Compliance now involves either a self-assessment or a third-party certification assessment, depending on the CMMC Level applicable to the contract.

The DoD detailed a phased rollout over two and a half years, beginning with the finalization of the CMMC rule (amendment of DFARS 252.204–7021):

  1. Phase 1: Effective from the final rule’s date, requires contractors to conduct self-assessments for CMMC Level 1 or 2 as a prerequisite for contract awards. The DoD may selectively enforce third-party Level 2 assessments.
  2. Phase 2: Starting six months post-Phase 1, mandates third-party Level 2 certification assessments for all relevant contracts, with potential inclusion of Level 3 requirements.
  3. Phase 3: Commencing one year after Phase 2, extends the Level 2 certification requirement to prior awarded contracts, subject to the applicability of CMMC Level 2. Level 3 requirements could also become more widespread.
  4. Phase 4: One year following Phase 3, marks the full implementation of the CMMC program. All DoD solicitations and contracts will incorporate CMMC requirements, including existing contracts’ option periods.

If hypothetically, the final CMMC rule is effective from December 26, 2024, the rollout would follow this timeline: Phase 1 begins on December 26, 2024; Phase 2 on June 26, 2025; Phase 3 on June 26, 2026; and full implementation (Phase 4) on June 26, 2027. Although the two and a half year period may appear extensive, contractors should immediately start assessing their compliance, particularly those aiming for third-party certifications at Levels 2 or 3. Non-compliance risks missing out on new contract opportunities or potentially losing existing DoD contracts if option periods are not exercised.

Who needs to comply with CMMC?.

Although many contractors are not yet required to obtain CMMC assessments, they are required to follow cybersecurity  standards. When the rulemaking is final, all contractors and subcontractors in the DIB must comply with the CMMC program at the level designated in their contract. This includes:

  • Prime contractors
  • Subcontractors
  • Any suppliers within the DoD supply chain

CMMC requirements will affect over 300,000 organizations.

According to the DoD, forthcoming CMMC requirements stand to affect over 300,000 organizations. In the meantime, contractors must comply with the Interim DFARS Rule, which requires a NIST SP 800-171 Basic Assessment.

Who manages subcontractor CMMC compliance?

Prime contractors who work with subcontractors will need to manage their subcontractor supply chain network and keep track of data flow. If a prime contractor shares or discloses CUI, the subcontractor must be Level 2 CMMC compliant. If the prime contractor shares or discloses FCI, the subcontractor must be Level 1 CMMC compliant. 

There are no subcontractor compliance requirements if the prime contractor does not share or disclose CUI or FCI. Prime contractors will require a CMMC subcontractor risk management platform to ensure compliance.

When will the CMMC rule-making be finalized?

The path to finalizing the CMMC has been more prolonged and complex than initially anticipated. While the original projections by the Pentagon in 2019 suggested the start of certifying Department of Defense (DoD) contractors as early as 2020, the actual progress has seen significant delays.

Contrary to earlier expectations that the final rule would take effect in May 2023, the reality has shifted. The DoD only released the proposed rule in December 2023. This delay indicates a more extended timeline for the CMMC implementation than previously thought.

Currently, the period for submitting comments on the proposed rule is open until February 26, suggesting that the regulatory process is still in a stage of gathering and considering stakeholder feedback. This essential phase of rulemaking typically precedes the finalization of any new regulation.

The final rule for the CMMC might not be effective until early 2025

Given these developments, it’s reasonable to project that the final rule for the CMMC might not be effective until early 2025. This adjusted timeline means that contractors have additional time to prepare for compliance, but it also implies that they need to stay informed and adaptable to upcoming changes.

What happens if I don’t comply with CMMC?

Once the notice of proposed rulemaking is published, the program’s requirements will likely take place as part of a phased rollout. Any contractors that don’t comply with the CMMC framework will lose any existing DoD contracts, won’t be able to bid for any new contracts, and won’t be able to get a contract award until they can demonstrate compliance with the required level in the contract. More details on implementation will be available following the forthcoming rulemaking. 

CMMC compliance readiness will be a critical differentiator once the rules take effect.

Recent reports indicate that many contractors aren’t following the required NIST cybersecurity controls, so CMMC compliance readiness will be a critical differentiator once the rules take effect. 

The Department of Justice (DOJ) has also launched the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. That means contractors who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches will be held accountable.

How can I get CMMC certified?

As the proposed rulemaking date nears, preparation and confidence are essential for success. Contractors with the necessary IT staff and CMMC resources may opt to prepare in-house. To do so, contractors must scope their organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence.

An automated assessment and evidence-collection platform will be necessary.

In most cases, having an automated assessment and evidence-collection platform will be helpful–if not necessary–for this process. Once contractors are confident in their compliance status, they can hire a C3PAO to conduct a certification assessment. 

Contractors can expect a C3PAO assessment to consist of the following four phases:

  • Phase 1: This phase starts with pre-assessment planning and includes gathering initial scope information, completing the artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan, and conducting a readiness review. 
  • Phase 2: In this phase, the C3PAO conducts the CMMC Assessment, which begins with an opening meeting between your organization and the assessment team. Next is the analysis and review of objective evidence related to the CMMC processes and practices, a discussion of any preliminary findings, and the final output. Again, having an automated assessment and evidence-collection platform that the C3PAO can tap into will make this phase much more manageable. 
  • Phase 3: This phase covers post-assessment reporting. Assessors gather results and send them with recommendations to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies a level recommendation. 
  • Phase 4: This phase may require remediation if the assessment identifies that a company falls a few practices short of the target CMMC performance level. The C3PAO will forward the remediation request to CMMC-AB for approval. If approved, contractors will have 90 days to address any shortfalls in performance. 

How Isora GRC from SaltyCloud can help

The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in early 2025.

Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and automated solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora empowers Information Security & Assurance teams to create a collaborative workspace where their Information Security Risk Management program can thrive.

By centering GRC around people, Isora not only facilitates risk reduction and regulatory compliance but also promotes program adoption, participation, and, most significantly, a risk-aware culture.

  • Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
  • Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.

Other Relevant Content

Say hello to powerfully simple GRC

The easier solution for mitigating risk, improving compliance, and building resilience