Everything about the CMMC – Complete CMMC Guide

  1. Introduction
  2. What is CMMC Compliance?
    1. Level 1, Foundational
    2. Level 2, Advanced
    3. Level 3, Expert
  3. Who needs to comply with CMMC?
  4. When will CMMC rulemaking be finalized?
  5. Who manages subcontractor CMMC compliance?
  6. How can I get CMMC certified?
  7. How does SaltyCloud help with CMMC?
  8. Conclusion


The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive program created by the Department of Defense (DoD) to protect American ingenuity and national security information from increasingly frequent and complex cyberattacks. It gives the DoD a mechanism to assess and certify cyber readiness across the hundreds of thousands of contractors and subcontractors that comprise the Defense Industrial Base (DIB).

In 2015, the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS), a series of cybersecurity requirements contractors and subcontractors in the DIB had to follow to protect Controlled Unclassified Information (CUI). It includes complying with the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).

In 2019, with adoption by the DIB lagging but with cyber threats growing, the DoD launched the CMMC 1.0, which aimed to ensure enhanced security through a structured third-party certification process. In addition, to enable a phased five-year rollout, the DoD released the DFARS Interim Rule, which requires contractors to work towards NIST 800-171 compliance ahead of CMMC certification.

In 2021, after much backlash and confusion, and following a comprehensive review of over 850 public comments, the DoD released CMMC 2.0. The updates simplify the program and minimize it in both scope and expectations, making it easier to understand and more feasible to adopt. There were several notable changes from CMMC 1.0 to CMMC 2.0.

This complete CMMC guide will review everything contractors need to know about CMMC, including its structure, requirements, and certification process.

What is CMMC Compliance?

The updated version of the CMMC consists of three progressively advanced cybersecurity levels: (1) Foundational, (2) Advanced, and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance through self-assessments or be certified triennially via a third-party assessment or government-led assessment.

In limited cases, the DoD will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all CMMC requirements. The DoD has yet to release full details regarding POAMs and waivers.

Level 1, Foundational

Contractors who handle Federal Contract Information (FCI) will be required to meet Level  1. They will need to align with 17 basic cyber hygiene practices. These controls can be found in Federal Acquisition Regulation (FAR) 52.204.21 and further defined in NIST 800-171. Because FCI is not considered sensitive information, the DoD will allow these contractors to assess their own cybersecurity and require them to submit scores and other documentation to the Supplier Performance Risk System (SPRS) yearly. No third-party or government-led assessments will be required for Level 1.

Level 2, Advanced

Contractors who handle CUI will be required to meet Level 2. They must align with the initial 17 practices from Level 1 and the additional 93 practices in NIST 800-171. As with Level 1, the DoD will require these contractors to assess their own cybersecurity yearly and submit scores and other documentation to the SPRS. For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years. The Cyber Accreditation Body (AB), the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime, released the CMMC Assessment Process (CAP), which provides helpful guidance for contractors that are beginning to prepare for their CMMC Level 2 assessment.

Level 3, Expert

Contractors who handle the most sensitive CUI must meet Level 3. They need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172. Unlike Level 1 and Level 2, the DoD will require contractors at this level to be certified via a government-led assessment. As of September 2022, the DoD has yet to release further details on the complete requirements for this level.

Who needs to comply with CMMC?

When the rulemaking is finalized, all contractors and subcontractors in the DIB must comply with CMMC at the level designated in their contract. In the meantime, contractors must comply with the DFARS Interim Rule, which requires a NIST 800-171 Basic Assessment.

What happens if I don’t comply with CMMC?

In short, contractors will lose any existing DoD contracts, and they won’t be able to bid for any new ones, let alone get a contract award until they can demonstrate compliance with the required level in the contract. The Department of Justice (DOJ) has also launched the Civil Cyber-Fraid Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.

When will the CMMC rulemaking be finalized?

The DoD has indicated that the rulemaking will take anywhere from 9-24 months from the release date of the CMMC 2.0. This means that the final rule may be published as early as August 2022 or as late as November 2023.

Who manages subcontractor CMMC compliance?

Prime contractors who work with subcontractors will need to manage their subcontractor network and keep track of data flow. If a prime contractor shares or discloses CUI, the subcontractor must be Level 2 CMMC compliant. If the prime contractor shares or discloses FCI, the subcontractor must be Level 1 CMMC compliant. There are no subcontractor compliance requirements if the prime contractor does not share or disclose CUI or FCI. Prime contractors will require a CMMC subcontractor risk management platform to ensure compliance.

How can I get CMMC Certified?

Preparation and confidence are essential. Contractors with the necessary IT staff and resources may opt to prepare for the CMMC in-house. Contractors need to scope their organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence. Having an automated assessment and evidence-collection platform will be extremely useful. Once they have the confidence, they can hire a C3PAO to conduct a certification assessment. Expect the assessment to consist of four phases:

Phase 1 starts with pre-assessment planning and includes gathering initial scope information, completing the artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan, and doing a readiness review.

In Phase 2, the C3PAO conducts the CMMC Assessment. This starts with an opening meeting between your organization and the assessment team. Following is an analysis and review of objective evidence related to the CMMC processes and practices, a discussion of any preliminary findings, and final output. Having an automated assessment and evidence-collection platform that the C3PAO can tap into will make this phase much more manageable.

Phase 3 covers post-assessment reporting. Results gathered by the assessment team are then forwarded with recommendations to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies a level recommendation.

Phase 4 may require remediation if the assessment identifies that a company falls a few practices short of the target CMMC performance level. The C3PAO will forward the remediation request to CMMC-AB for approval. If approved, contractors have 90 days to address any shortfalls in performance.

How does SaltyCloud help with CMMC?

Isora GRC from SaltyCloud is the Lightweight GRC Assessment Platform that enables organizations to achieve continuous risk visibility at scale without the complexities of manual processes or legacy software solutions. It provides the ability to conduct assessments against the required practices, including NIST 800-171 & NIST 800-172, securely collect evidence, access compliance maturity dashboards, and export reports and Plans of Action and Milestones (POAMs). It also helps contractors manage and asses their subcontractor compliance. SaltyCloud is a CMMC Registered Provider Organization (RPO). Learn more about Isora GRC from SaltyCloud.


Over the last few years, the DoD has made strides on its mission to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables its warfighters. Although the CMMC has hit a few bumps in the road, its most recent November 2021 updates indicate that the model is here to stay and that contractors should be readying themselves for when the rules are finalized, which could happen as early as possible in August 2022.

The CMMC is not going anywhere. Contractors who wish to continue working with the DoD must identify long-term and scalable solutions to organizational cybersecurity.