CMMC Explained: Unpacking the U.S. Defense Community’s New Cybersecurity Goals
Table Of Contents:
Cybersecurity has become a critical concern in the defence industry, with increasing threats targeting sensitive information and critical infrastructure. That’s where the Cybersecurity Maturity Model Certification (CMMC) comes in. It’s a framework for defence contractors to implement cybersecurity measures, protecting themselves and the U.S. Department of Defense’s supply chain. But how does it work, and how do you comply with it?
First announced in June 2019, the CMMC framework is ambitious. In 2020, the DoD released version 1 of the framework, and a Presidential interim rule established a five-year phase-in period for defence contractors to gain compliance.
Compliance involves navigating a matrix-style framework structured around 17 cybersecurity domains that originally spanned five maturity levels. The domains each encompass a broad range of security practices, ranging from access control and asset management through identification and authentication and incident response to system and information integrity. The framework details specific practices in each domain corresponding to certification at each maturity level.
Each of the framework’s maturity levels builds on the one underneath it, creating a pathway for defence contractors to mature their cybersecurity practices.
Revisions To The Framework
As you might expect, given that they both come from the federal government, CMMC is closely related to another security standard: the NIST SP 800-171 standard for protecting controlled unclassified information (CUI) in non-federal systems and organisations. Federal Acquisition Regulation (FAR) and Defence Federal Acquisition Regulation Supplement (DFARS) rules (which dictate what federal and defence contractors must do before they can work with the Federal government) dictate compliance with NIST SP 800-171.
One key advantage of the original CMMC over NIST SP 800-171 was that while the latter relies on self-attestation for compliance, CMMC 1.0 mandated third-party assessments to verify implementation. However, in March 2021, the DoD announced an internal review of CMMC, which resulted in an updated version, CMMC 2.0, that November. This revision was a response to industry feedback that asked for a reduced compliance cost (especially for small businesses), along with better alignment with other standards.
CMMC 2.0 reduced the number of maturity levels to three (Foundational, Advanced, and Expert). It also lowered costs by introducing self-assessments for the Foundational level and some requirements of Advanced. Other changes designed to soften the impact on businesses included provisions for waivers, along with plans of action and milestones (POA&Ms). Waivers allow companies to ask for temporary exemptions from CMMC in specific circumstances, while POA&Ms let them set goals with timelines for bridging compliance gaps.
In the streamlined CMMC 2.0, NIST SP 800-171 requirements kick in at level two, while level three includes some SP 800-172 requirements.
How Can You Comply with CMMC?
Right now, compliance with CMMC 2.0 isn’t a contractual requirement because rule-making for that update still needs to be completed. That is expected to take up to two years. The DoD published its proposed rule for CMMC in December 2023, with a 60-day consultation period. The rule will come into effect on October 1 2026, so it’s smart to start now.
Begin by defining the CMMC level you’re shooting for. These cover different kinds of information. The Foundational level covers Federal Contract Information (FCI). Advanced is for organisations aiming to handle CUI, controlled defence, controlled technical information, or export-controlled data. Expert certification allows you to carry critical, controlled, unclassified information and also applies to those working on sensitive projects in aerospace or military domains.
Your level will determine the requirements you must meet. Foundational certification demands compliance with the requirements found in the FAR 52.204-21 (17 CMMC Practices) rule. To achieve advanced status, you’ll need to meet all 110 security controls from NIST 800-171, while Expert certification will also require compliance with a subset of NIST 800-SP 172 requirements. This standard contains enhanced requirements for protecting CUI, including mitigation measures against advanced persistent threats.
Identify the assets covered by CMMC and conduct a gap analysis to see where you currently fall short of the certification you need. Choose a managed service provider to help you with your security upgrade requirements where necessary. You must also complete a CMMC assessment, which might mean third-party evaluation depending on your chosen maturity level.
Plenty To Work On Right Now
While we wait for the CMMC deadline to arrive, there are more pressing compliance requirements. The DoD has created Defence Federal Acquisition Regulation Supplement
(DFARS) clause 252.204-7012, a recent rule that mandates cybersecurity measures for federal defence contractors. Under that rule, which is in force now, contractors must comply with all 110 security requirements from NIST SP 800-171.
Further out, expect more CMMC developments now that NIST has published the third revision of NIST SP 800-71. This ostensibly has fewer requirements than v2, but these requirements are far more significant, requiring more verification questions and more work. While CMMC 2.0 does not include NIST SP 800-71 v3 compliance, expect it in the future.
You can use existing work that you’ve done on ISO 27001 to help with these preparations. Although is a separate standard from CMMC, there is some overlap. Because CMMC is based heavily on NIST SP 800-71, you can use the ISO 27001 mapping in NIST SP 800-71 Appendix D to give you a head start on CMMC compliance.
