Ensuring that you have a strong defense against cyber-attacks surely benefits you in many ways. Still, the next step in cybersecurity is crucial if you are a contractor who wishes to work with and for the government.
Editor's note: This post was originally published in 2022, and the information is already outdated following the release of CMMC 2.0. For the latest CMMC guidelines, read "What is CMMC 2.0 and Does Your Business Need One?"
Cybersecurity Maturity Model Certification or CMMC is the next step in cybersecurity requirements for defense contractors. It is a government certification that measures an organization’s cybersecurity level maturity and aligns the practices with the type of information to be protected.
Given that it is of national-level security concern, CMMC assessment follows strict guidelines. It has different levels of certification that will determine a contractor’s eligibility to bid on a government contract or subcontract.
Here at ITS, we help hundreds of businesses stay on top of cybersecurity best practices and compliance standards to get that competitive advantage. In this article, you will learn about:
- What is CMMC
- Who needs CMMC
- Levels of CMMC
- Four things you can expect when processing CMMC
What is CMMC?
Past cybersecurity standards, including NIST 800-171 and FAR 52.204–21, have only required self-assessments. This called for companies to maintain a Security System Process Plan (SSP), and a Plan of Actions & Milestones (POA&M), but without federal auditors to ensure the standards had been enacted.
Such a process created a disadvantage for compliant businesses who dedicated resources to meet these standards but were bidding against other companies who have claimed to have security initiatives in place but have never had to demonstrate proof. It also left vulnerabilities in the effort to protect national data.
Due to this, CMMC was implemented by the Department of Defense (DoD) to improve the protection of the defense industrial base. Its main purpose is to protect two specific kinds of information:
- Federal Contract Information (FCI)
The federal government protects information regarding its contracts—both details generated by the government and those provided by contractors.
- Controlled Unclassified Information (CUI)
CUI encompasses any data that is sensitive in nature, but that does not require federal clearance to access. This includes personally identifiable information, technical drawings, legal documents, and other intellectual property.
CMMC outlines procedures businesses must take to protect FCI and CUI if they intend to work with the DoD or other federal agencies adopting these standards.
Who needs CMMC?
As mentioned above, all businesses contracting with the DoD are required to have certification to a certain level depending on the nature of their contract. Level 1 is equivalent to FAR 52.204–21, so businesses that have already achieved this standard independently will have a head start on those just beginning the process.
On the other hand, most non-prime businesses will need to meet Level 3 standards, including all 110 NIST controls, plus an additional 20 controls specific to CMMC. Implementing these controls will take a concerted effort by any business required to demonstrate compliance.
CMMC certification will offer significant competitive advantages to businesses by allowing certified organizations to bid and accept government contracts involving CUI.
Levels of CMMC
The five levels of CMMC lay out the protection required to keep certain types of government information safe.
Level 1:
Level one certification follows the most basic cybersecurity best practices and what should every government contractor be doing already. It has the same requirement as the existing FAR 52.204-21, including maintaining anti-virus software, following strong password protocols, and running regular software updates.
Level 2:
A level two certification requires compliance with intermediate cybersecurity standards. It’s like a transitionary stage for level three and is a must for any business working with CUI.
Level 3:
For businesses storing or processing CUI, possessing government data, holding Federal Contract Information or export-controlled data, a level three CMMC compliance is a must. A level three CMMC is what most government contractors should aim for.
Level 4:
Like level two, level four is a transitionary stage for level five. Requirements for this CMMC level can be pretty challenging, requiring you to take measures to protect yourself against run-of-the-mill cyber attacks and advanced persistent threats, including terrorist organizations and rogue nation-states.
Level 5:
As the highest CMMC certification level, businesses at this level should have a fully optimized process in place as well as cutting-edge cybersecurity tools to prevent the most sophisticated hacking methods.
Four things you can expect when processing CMMC
Many businesses are facing pressure to adopt these measures and achieve certification quickly. However, in many cases, the certification process is more involved than these businesses expect.
In order to approach the process productively, there are several expectations businesses should have about what is required of them.
1. The process to achieve CMMC can take up to twelve months… or more
Businesses cannot meet CMMC standards overnight. In fact, it could reasonably take most businesses at least a full year to be qualified for certification. If your business plans to bid on DoD contracts in the upcoming year, it is imperative that you begin working towards satisfying the requirements as soon as possible. 
2. Achieving CMMC will require active participation by the company
Many companies expect to hire an outside contractor to bring their systems up to CMMC standards for them, which is not a realistic understanding of what all is required to be compliant. The active participation of the company and implementation of standards, processes, and procedures are required to achieve and maintain compliance.
3. CMMC is awarded on a pass/fail basis
In the past, a business only needed to document its intent and plan to meet bidding requirements. CMMC is a step beyond this. It requires a business to be certified and does not guarantee an automatic pass once you’ve gone through the requirements. You’ll need to reassess your cybersecurity if it fails to meet the standards on the first try.
4. Maintaining CMMC standards is an ongoing process
Companies are often under the mistaken impression that meeting CMMC requirements can be left to the IT department. However, practicing cybersecurity hygiene is a more holistic process that must incorporate multiple departments from HR to Operations. Team members must be trained in the appropriate procedures and new workflows must be designed to ensure the controls are followed. Seeing this process through requires a compliance manager who can maintain CMMC requirements.
Also, since cybersecurity threats and standards are constantly evolving, some standards require continuous monitoring, review, tasks, and documentation. Businesses that pass these standards will be certified for three years, but an organization is likely to fail future audits without individual monitoring and maintaining compliance requirements.
Ready to be CMMC certified?
Processing CMMC may be a lot to take in for a small to medium-sized business. Fortunately, you will not have to do it all alone.
At ITS, we work closely with our clients, explaining the full CMMC process, walking through their infrastructure, looking at the technical controls, and reviewing the policies that demonstrate how the control is being enacted. If you need assistance moving the process forward, you may give us a call today.