CMMC Compliance

CMMC ComplianceThe Ultimate CMMC Compliance Guide & Checklist for Business

In today’s advanced digital age, data security and data privacy have become critically important.

If you are a business that currently contracts with the Department of Defense (DoD) – or plans to be a defense contractor in the future – then you need to know that the future of defense contracting lies in CMMC compliance.

The Cybersecurity Maturity Model Certification (CMMC) is a new compliance standard established by the Department of Defense to improve the cybersecurity posture of organizations that do business with the DoD.

Below we will cover everything you need to know about CMMC, including its requirements, practices, levels of compliance, how to get started with CMMC, and a CMMC 2.0 starter checklist.

 

What is CMMC Compliance?

CMMC is a cybersecurity standard that assesses and certifies the cybersecurity practices and processes of DoD contractors and subcontractors.

It was developed to enhance the protection of sensitive information handled by organizations that provide goods and services to the DoD.

CMMC identifies different levels of an organization’s cybersecurity maturity, and your level depends on the sensitivity of the government data you handle.

CMMC is an essential requirement for organizations that want to work for the US government, as it helps the US government determine if an organization meets the security requirements for handling sensitive data.

CMMC was first introduced in January 2020 and has seen some changes since its initial release with the introduction of version 2.0. At its essence, CMMC is designed to ensure that organizations working in the Defense Industrial Base (DIB) meet strict security requirements.

 

When Is CMMC Compliance Required?

The CMMC requirements are being rolled out, and CMMC compliance will be required in all new DoD contracts beginning in 2026.

All DoD contractors and subcontractors that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must comply with CMMC requirements to continue doing business with the DoD.

If your business is a DoD contractor or subcontractor, don’t wait on getting CMMC certified and risk your competitors gaining an edge on you.

 

Who Is Required To Be CMMC Compliant?

CMMC certification applies to any supplier, contractor, subcontractor, manufacturer, and even small businesses in the defense contracting supply chain.

Some likely industries that have CMMC compliance requirements include manufacturing, construction, architecture, electrical contractors, and demolition.

In a survey conducted by the National Defense Industrial Association (NDIA), “68% of respondents reported that CMMC compliance would help them win new business.”

 

What Are The CMMC Requirements?

CMMC requirements are similar to NIST and include a list of processes and practices that must be in place to protect sensitive information from cyber threats.

These requirements are divided into three levels of increasing cybersecurity maturity (previously five levels).

Your business must achieve the right level of compliance required for the DoD contracts that you are trying to win. The practices and processes enforced by the DoD for each level are based on existing cybersecurity frameworks, such as NIST SP 800-171.

Read on to learn more about what each level contains. There is a laundry list of actions that must be taken for each security area, ensure that your CMMC consultant helps you create a Plan of Action and Milestones (POAM) to guide you.

 

What Does CMMC Protect?

CMMC cybersecurity standards are designed to protect sensitive data such as unclassified information that requires safeguarding (CUI), information not intended for public release (FCI), and intellectual property inside the US Defense Industrial Base (DIB) supply chain.

 

What Are CMMC Practices?

CMMC practices are a set of specific security procedures that an organization is required to implement to protect its systems and data.

These practices belong to a list of 17 domains, each security domain in turn contains a set of specific practices an organization must implement to reach the desired CMMC level of compliance.

According to IBM, “In the role-based security model, a security domain represents the set of objects that users or groups can manage.” Domains are used to categorize cybersecurity best practices.

 

CMMC Domains (The 17 Security Domains of CMMC):

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

Asset Management (AM)

  • ‍‍Identify and document assets

Audit and Accountability (AA)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

Identification and Authentication (IDA)

  • Grant access to authenticated entities

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post-incident reviews
  • Test incident response

Maintenance (MA)

  • Manage maintenance

Media Protection (MP)

  • ‍‍Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

Physical Protection (PP)

  • Limit physical access

Recovery (RE)

  • Manage back-ups

Risk Management (RM)

  • ‍‍Identify and evaluate risk
  • Manage risk

Security Assessment (SAS)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code review

Situational Awareness (SA)

  • Implement threat monitoring

System and Communications Protections (SCP)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

System and Information Integrity (SII)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

 

Understanding CMMC Levels: A Breakdown For Businesses

The technical activities of each domain are known as practices and are distributed across three levels of CMMC, with a total of 171 practices. At a glance, here’s what each level includes:

Level 1 (Foundational)

  • 17 security controls
  • 6 security domains
  • Protects FCI, not critical to national security
  • Yearly: self-assessment

Level 2 (Advanced)

  • 110 security controls
  • 14 security domains
  • Protects CUI, prioritized and non-prioritized acquisitions
  • Yearly: self-assessment (for data not critical to national security)
  • Every three years: third-party assessment (for data critical to national security)

Level 3 (Expert)

  • 130 security controls
  • 16 security domains
  • Protects CUI, highest priority DoD programs
  • Every three years: Government-led assessment by a C3PAO

 

What Are The 3 Levels of CMMC 2.0 Compliance?

There are now 3 levels of CMMC compliance to increase cybersecurity maturity, ranging from basic cyber hygiene practices to highly advanced cybersecurity practices. Each level builds on the required practices and controls of the previous level.

In most cases, CMMC level 1 is sufficient. It is uncommon that defense contracts require a higher level of certification, but it certainly does happen.

Here’s a link to find the Department of Defense CMMC Level 1 Self-Assessment Guide which focuses on the protection of Federal Contract Information (FCU) and encompasses the basic safeguarding requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21.

The 3 Levels of CMMC 2.0 Compliance Are:

CMMC Model 2.0, Level 1 (Foundational)

Basic cyber hygiene as specified in the Basic Safeguarding of Covered Contractor Information Systems (48 CFR 52.204-21). Level 1 CMMC compliance is only for organizations focused on protecting Federal Contract Information (FCI). At this level, organizations have implemented basic cybersecurity practices such as password management, controlled access to sensitive data, documented policies and procedures, and keeping software patching up to date on all systems. Annual self-assessments are required also required at level 1.

CMMC Model 2.0, Level 2 (Advanced)

Intermediate cyber hygiene is necessary if you are bidding on DoD contracts that handle Controlled Unclassified Information (CUI) / Controlled Defense Information (CDI). At this level, organizations have to implement more advanced cybersecurity protections and have a managed cybersecurity program. CMMC level 2 organizations are positioned to better defend their systems against bigger cyber threats. They also need to complete triennial third-party assessments for critical national security information and annual self-assessments for non-critical data.

CMMC Model 2.0, Level 3 (Expert)

Level 3 is currently the highest level of CMMC compliance for working on high-priority DoD programs that handle data critical to national security. Level 3 CMMC compliance includes protecting information from Advanced Persistent Threats (APT). At this deep level, organizations must implement several additional controls, comply with additional practices, and submit to a government-administered assessment every three years from an independent third-party C3PAO assessor.

First, consult with a CMMC Compliance Expert to determine the appropriate CMMC level for your business based on the current defense contracts you have and the future projects you want to bid on.

 

How To Prepare For CMMC

Wondering how your business can get started with CMMC compliance? Preparing for getting CMMC certified can seem overwhelming and expensive at first. Although we won’t be covering costs for CMMC compliance in this blog, be sure to consider costs when preparing for CMMC.

Preparing for CMMC certification can take 6 months to over a year. We suggest you consult with a CMMC Certification Company to guide you along your CMMC certification journey. Furthermore, do not try to DIY your CMMC certification, especially if you have never implemented robust cybersecurity protections for your organization before now. 

Neal Juern, CEO of Juern Technology encourages businesses to leverage their existing cybersecurity frameworks. Neal says, “Businesses looking to get CMMC certified should look at the existing cybersecurity frameworks they comply with and leverage those federal frameworks to achieve CMMC compliance. There are many overlapping requirements as CMMC was developed through existing cybersecurity frameworks including NIST and RMM.”

Moreover, avoid expensive setbacks, and potentially failing your initial assessment by working with a CMMC expert to implement the right cybersecurity solutions the first time.

Here are 3 easy steps to prepare for CMMC:

  1. Determine if you want to bid on government contracts now or in the future.
  2. Contact a qualified CMMC Certification Company to help guide you. DON’T do it alone.
  3. Work in collaboration with your CMMC expert to determine your level of CMMC needed.

 

CMMC 2.0 Compliance Roadmap

Don’t know where to start with CMMC? Here is a CMMC checklist of steps businesses should take to achieve CMMC compliance with the help of a qualified CMMC consultant.

CMMC Checklist/Roadmap

  • Determine the appropriate level of CMMC for your business
  • Identify Stakeholders
  • Identify key data, business processes, and technology
  • Conduct a Gap Assessment and validate your self-assessment
  • Create an implementation plan and discrete projects to close POAM
  • Train employees on CMMC requirements
  • Implement security controls
  • Continue ongoing monitoring and risk management process to maintain compliance
  • Begin risk management meetings
  • Onboard and Integrate CMMC IT documentation
  • Obtain CMMC compliance

Related: The CMMC 2.0 Starter Checklist for DoD Contractors

Take The Hassel Out Of CMMC Compliance with Juern Technology’s Proven CMMC Certification Process.

Achieving CMMC compliance will soon become a contract requirement for businesses that want to work with the US Department of Defense (DoD).

If you’re a business owner looking to get and stay CMMC compliant, it’s essential to work with experts in the field. Juern Technology’s team of certified CMMC experts can guide you through the entire process.

Contact us today to schedule a free CMMC Consultation and take the first step toward meeting CMMC requirements and winning more government contracts. Call us at (210) 245-6900 to get started.