Updated on April 19, 2024 by Ian Terry

Table of Contents

Key Takeaways

1. CMMC, or Cybersecurity Maturity Model Certification, is a security program based on the Department of Defense’s information security requirements.

2. Most organizations, including both prime and subcontractors working with the Department of Defense (DoD), will need to obtain CMMC

3. AWA is an expert in the domain of CMMC compliance. Our cybersecurity team can guide you throughout the compliance process and ensure you are CMMC-certified.

What is CMMC?

CMMC, short for Cybersecurity Maturity Model Certification, is a program established by the United States Department of Defense (DoD) to evaluate the cybersecurity readiness of the vendors and contractors they (the DoD) work with. The framework includes three maturity levels, each with escalating standards for protecting CUI.

The main goal of the CMMC program is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that flows through the department and its contractors (and their subcontractors).

Who Needs CMMC?

Most organizations, including prime and subcontractors engaged with the DoD, will eventually need to demonstrate compliance with CMMC. This mandate extends to all suppliers within the Defense Industrial Base (DIB) ecosystem, spanning small businesses, international suppliers, and larger contractors.

According to Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment at the DoD, cyber hygiene of government contractors is a priority and the importance of CMMC for protecting sensitive defense information cannot be overstated.

“We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” Arrington said during a presentation at the Professional Services Council Federal Acquisition Conference. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to a scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”

Most organizations, including prime and subcontractors engaged with the DoD, will eventually need to demonstrate compliance with CMMC. This mandate extends to all suppliers within the Defense Industrial Base (DIB) ecosystem, from small businesses to international suppliers and larger contractors.

Who must be CMMC compliant? According to the DoD, the following entities must undergo and achieve CMMC certification:

Prime contractors
Subcontractors
Suppliers across all levels of the DIB
Contractors exclusively engaged with the DoD

Below are brief explanations of what each category means:

Prime Contractors

A prime contractor refers to a company or organization that supplies goods and services to the DoD. Given their access to contract specifics, prime contractors typically mandate a higher CMMC level than subcontractors.

They are responsible for cascading the relevant CMMC requirements to subcontractors. Then, the prime contractor determines the certification level required for subcontractors based on the information transferred during contract fulfillment.

For example, if contractors and subcontractors handle similar types of FCI and CUI, they will be subject to the same CMMC level.

Subcontractors

Smaller businesses often collaborate with prime contractors as subcontractors, providing specific services within larger projects.

These subcontractors must meet the CMMC compliance requirements corresponding to the data they handle, as they remain under the contract’s purview. However, higher CMMC levels may be mandated for other project elements.

For example, if a subcontractor deals with CUI or FCI, they must obtain Level 3 certification, even if the prime contract requires Level 1.

Suppliers

Prime contractors may delegate certain responsibilities to other firms while still adhering to their DoD contract obligations, including those of these entities within the DIB.

Consequently, these lower-tier suppliers must align with the CMMC maturity levels applicable to their designated tasks, which may differ from those required of the prime contractor.

Some examples of industries or entities that require CMMC are listed below:

Contractors
Vendors
Any other contracted third parties
Civilian organizations that do business with the DoD
Software or service providers, such as logistics, IT, or communications companies
Small enterprises
Foreign suppliers
Enterprise-level contractor

If your company belongs to any of the above-mentioned categories and needs a CMMC, contact AWA to get expert guidance and audit operations.

Which CMMC Level Do You Need?

The CMMC framework consists of different levels. The required CMMC level depends on what a company does and whether it handles CUI or FCI. While CMMC 1.0 featured 5 maturity levels, the updated CMMC 2.0 has been simplified to just 3 maturity levels.

Currently, CMMC 1.0 structures are no longer applied and have been replaced by the CMMC 2.0 levels.

To give you an idea of how the framework evolved, we discuss below the different levels of both versions of CMMC. For a better understanding of how the CMMC frameworks has evolved, we will explore the various levels of both CMMC versions, highlighting the changes and improvements made in the updated model.

CMMC 1.0 Levels

CMMC 1.0 certification process, released in 2020, comprises control domains and security practices organized into 5 security maturity levels spanning from basic cyber hygiene (Level 1) to advanced/progressive (Level 5).

Below is a representation of the five levels of CMMC 1.0

Level 1 (Basic Cyber Hygiene)

CMMC Level 1 serves as the foundational certification level and includes practices aligned with basic safeguarding CMMC compliance requirements outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21.

Level 2 (Intermediate Cyber Hygiene)

CMMC Level 2 includes 110 controls, including those from Level 1, 320 assessment objectives, and a 270-page assessment guide. It is designed for companies handling CUI and is aligned with DFARS 252.204.7012 and NIST SP 800-171.

Level 3 (Good Cyber Hygiene)

This level is for companies wanting to reduce risks from Advanced Persistent Threats (APTs). Depending on info sensitivity, DIB firms handling CUI need at least a level 3. CMMC Level 3 emphasizes safeguarding CUI, building upon the foundational security practices outlined in Levels 1 and 2.

This level incorporates all security requirements outlined in NIST SP 800-171 and 58 practices and standards to enhance security beyond Level 2.

Level 4 (Proactive Cyber Hygiene)

At the second-highest certification level, you need to focus on proactive measures to detect and respond to sophisticated tactics used by APTs.

When you implement advanced cybersecurity practices, they can safeguard CUI against prolonged and targeted attacks aimed at extracting sensitive data.

Level 5 (Advanced Cyber Hygiene)

Achieving Level 5 certification represents the pinnacle of cybersecurity readiness, focusing on advanced strategies to safeguard CUI from APTs. Companies seeking Level 5 certification must establish standardized and optimized processes throughout their operations.

For government contractors, CMMC is a requirement. Although the CMMC certification process may be lengthy and costly, the investment pays off in the end.

CMMC 2.0 Levels

CMMC 2.0 introduces more security domains compared to its predecessor, CMMC 1.0. These additional domains include incident response, anomaly detection, supply chain risk management, and a system security plan.

Since December 2023, the CMMC 2.0 framework has been endorsed by the DoD and is now being implemented across service organizations.

The key differences between each level under CMMC 2.0 are:

Level 1 is geared towards companies handling FCI only, in alignment with FAR 52.204-21
Level 2 is designed for companies dealing with CUI in alignment with NIST SP 800-171 and FAR 52.204-21
Level 3 is aimed at organizations with high-priority programs handling CUI, aligning with NIST SP 800-172, FAR 52.204-21, and NIST SP 800-171

Let’s get into the details of each level one by one:

Level 1: Basic Security

This level is for companies handling FCI only. It covers 17 controls for fundamental cybersecurity practices to protect FCI and other less-sensitive data. CMMC assessment is done internally every year.

Level 2: Enhanced Security

Companies dealing with CUI need Level 2 certification. It aligns with NIST SP 800-171 and consists of 110 cybersecurity practices. Assessment is a mix of third-party and self-assessment every three years.

Level 3: Advanced Security

The highest certification level focuses on protecting CUI in high-priority DoD programs. It includes 110+ controls, some from NIST SP 800-172. Level 3 requires a government-led assessment every 3 years.

Use AWA’s comprehensive CMMC Compliance Checklist to ensure your certification process is smooth and successful.

How Do Organizations Determine Their Need For Specific CMMC Levels?

Organizations assess their required CMMC level based on the types of information they handle and the nature of their work.

Now, we know that as a DoD contractor, your biggest question is probably “what certification level does my company need?”

To answer that, we need to determine the type of data involved in your DoD contract(s). This data falls into three main categories of information ranging from public information to FCI, and CUI:

Public Information

Contractors dealing with public information for the DoD are exempt from CMMC, as per the NSF. Public information labeled as “Public Release Approved” or obtained from publicly accessible government sources falls outside the scope of CMMC guidelines.

This category includes unmarked data from uncontrolled government channels, such as public reports on industrial forecasts.

Note that handling public information doesn’t necessitate special controls outlined in CMMC guidelines. CMMC is unnecessary for contractors exclusively handling such data for DoD projects.

FCI (Federal Contract Information)

For defense contractors handling FCI, achieving CMMC Level 1 is typically advisable.

This level signifies the fundamental cybersecurity practices necessary to protect FCI, which comprises information not intended for public dissemination. FCI status is often denoted in document markings or outlined in contracts.

However, it’s important to note that FCI excludes basic accounting and transactional data essential for invoicing and financial transactions.

Contractors undertaking defense projects involving FCI data are likely to require Level 1 CMMC. This certification involves the adherence to 17 cybersecurity practices and permits an annual self-assessment for compliance validation.

CUI (Controlled Unclassified Information)

If you are handling CUI, it mandates at least CMMC Level 2. CUI, a subset of FCI, includes additional safeguarding and handling controls. It should be clearly identified in DoD contracts. Guidelines for CUI identification and management are outlined in NIST Special Publication 800-171.

Contractors engaged in DoD projects involving CUI data must obtain at least CMMC Level 2. This certification involves compliance with all 110 practices in Levels 1 and 2 of the CMMC framework.

Feeling overwhelmed with the intricacies of the different levels? Don’t worry. A trusted service provider like AWA can assist you in achieving CMMC compliance and guide you through the process.

How Can AWA Help You Become CMMC Compliant?

As industry leaders in the CMMC domain, our team specializes in guiding government vendors and contractors through CMMC audit readiness, compliance, and certification.

We offer customized gap assessments, policies, and processes designed to meet the specific CMMC requirements for your organization, ensuring compliance and enhancing your cybersecurity posture.

Here’s how we can help:

Certified IT experts conduct thorough CMMC assessments
We offer a range of penetration testing services to bolster cybersecurity
Comprehensive gap assessments pinpoint vulnerabilities for effective remediation

Ready to find out what your CMMC compliance requirements are? Click here to speak with a specialist today!

FAQs

Why is CMMC necessary?

CMMC is necessary because it acts as a verification mechanism to confirm that your company has the necessary cybersecurity controls and processes in place to safeguard FCI and CUI.

Who is responsible for CMMC?

The responsibility for the CMMC falls under the DoD. It is an assessment standard pointed specifically at defense and ensures they adhere to the necessary security requirements.

Do I need to work with a Third-Party Assessor Organization (C3PAO)?

It depends. If you only need CMMC Level 1 (handling only Federal Contract Information) you do not need to work with a Third-Party Assessor Organization (C3PAO).

If you need CMMC Level 2 (handling Controlled Unclassified Information) for some contracts, you may be able to perform a self-assessment. However, for certain Level 2 contracts, a third-party assessment by a C3PAO will be required.

For CMMC Level 3 (handling CUI for highest priority programs), a C3PAO assessment is mandatory. The assessment must result in a score of at least 90 out of 100.

So in summary, unless you only need Level 1, you will likely need to work with a C3PAO for at least some of your contracts once CMMC 2.0 is in effect. It’s best to review the specific requirements for the contracts you bid on.

For more information about working with a C3PAO, read this article: “In Progress: CMMC Third-Party Assessor Accreditation by C3PAO“

How often do I need to renew my CMMC certification??

The frequency of CMMC certification renewal depends on the CMMC level your business is classified as.
– CMMC Level 1 requires an annual self-assessment.
– CMMC Level 2 certifications require a third-party assessment every 3 years. However, for some non-prioritized acquisitions at Level 2, an annual self-assessment may be sufficient.
– CMMC Level 3 certifications require a government-led assessment every three years to maintain certification.

For more information about working with a C3PAO, read this article: “In Progress: CMMC Third-Party Assessor Accreditation by C3PAO“

Does CMMC only apply to DoD?

Yes, CMMC primarily applies to DoD contract and subcontract awardees who handle or process information that meets the standards for FCI or CUI on contractor information systems. However, it does not apply to government information systems operated by contractors or subcontractors on behalf of the government.

Do subcontractors need to be CMMC compliant?

Yes, under CMMC 2.0, government subcontractors need to be CMMC compliant if they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The level of cybersecurity requirements for subcontractors depends on the sensitivity of the information they will handle and the requirements placed on the prime contractor.

Here’s how it works:
– Prime contractors (the main companies that directly work with the DoD) must identify the required CMMC level for their subcontractors (companies that work under the prime contractor) based on the type of information they will handle.

– If a subcontractor will only handle Federal Contract Information (FCI), which is less sensitive, they need to meet CMMC Level 1 and perform a self-assessment.

– If a subcontractor will handle Controlled Unclassified Information (CUI), which is more sensitive, they must meet at least CMMC Level 2 and perform a self-assessment.

– If the prime contractor is required to have a Level 2 Certification Assessment, then any subcontractor handling CUI must also have a Level 2 Certification Assessment.

– If the prime contractor is required to have a Level 3 Certification Assessment, subcontractors handling CUI still only need a Level 2 Certification Assessment.

Get a Quote

About The Author

Ian Terry

Ian has 7 years in the Information Technology field with 4 years in Cybersecurity, Compliance, and IT auditing. He has performed numerous risk assessments and audits related to NIST, HIPAA, HITRUST, FISMA, PCI, and CMSR. He is also an expert in third-party risk management having built a SaaS security platform for streamlining third-party risk assessments. Ian's cybersecurity writings have been published in Hackernoon, Security Boulevard and CISO Mag. He holds a B.S. in Cybersecurity from a national center of academic excellence in cybersecurity as recognized by the NSA and DHS and has CSM, HCISPP, and SSCP certifications.

Who Needs CMMC Certification? Which CMMC Level Do You Need?