CMMC Certification Guide

Ensure You Will Keep & Grow Your DoD Business

Your Guide to Successful CMMC Certification

- Achieve NIST 800-171 Provable Conformance -
- Protect CUI -
- Be Irresistible to Your Prime's Capture Team -
- Be Ready for Your CMMC Certification Audit -
- Grow Your Business! -

cmmc certification guide process

The DOD and the CMMC AB continue to offer more guidance and details on how the CMMC roll out.

Keeping confidential government/military information secure from prying eyes is critical to our national sovereignty and economy.

Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.

The self-attestation approach hasn’t worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).

It would be presumptuous for us to call ourselves CMMC experts. We are, however, experts at developing and managing information security and privacy management systems that comply with government and industry regulations. We have helped organizations ranging from $500K to $3B comply with DFARS clause 252.204-7012 and NIST SP 800-171 which cover 110 of the 130 controls required for CMMC Level 3 certification. So, while CMMC is a new certification scheme — the process of preparing for CMMC certification isn’t new to us.

The Stakes are High… Make Sure You Have the Chips to Stay in the Game

CMMC certification will be an absolute requirement to win DoD RFPs and/or have a contract awarded. For many SMBs impacted by the CMMC, DoD contracts make up a substantial percentage of their revenue—making CMMC certification a “go big or go home” proposition.

CMMC Compliance Can Make You Stronger

We believe there is a Darwinian element to CMMC. Those organizations that can “adapt” to the new reality, will not only survive, but are likely to prosper, by taking business from those that can’t adapt. Be the pigeon, not the dodo.

New to the CMMC? Lets get you up to speed quickly

The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity standard for US Department of Defense (DoD) suppliers. The CMMC will impact more than 300,000 companies in the US Defense Industrial Base (DIB).

The CMMC is important because many DoD contractors are currently vulnerable to attack. Breaches of intellectual property across the DIB have and continue to reduce US defense superiority and threaten our national security.

First released in January 2020 after several years in development, the CMMC requires DoD contractors undergo independent, third-party audits. Compliance is measured against one of the five levels in the CMMC’s “maturity model,” which align with the specific maturity level mandated in each new DoD contract.

What is CMMC Certification?

The CMMC certification process assesses the cybersecurity posture of DoD contractors through third-party audits. The audit process is intended to verify that a company’s security controls, policies and procedures comply with DFARS requirements and the CMMC standard at the contractually mandated level. The CMMC’s goal is to improve the protection of sensitive data in contractor’s systems, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

The security assessment program that the CMMC replaces allowed businesses to self-attest their compliance to the NIST SP 800-171 standard per the Defense Federal Acquisition Regulations (DFARS) as specified in their DoD contracts. Unless explicitly requested to do so, DIB companies were not required to provide evidence of compliance. This perpetuated security vulnerabilities and resulted in significant data breaches, operational interruptions and intellectual property theft at a cost of at least $300 billions per year.

The CMMC was developed in collaboration with university research centers, federally funded R&D centers and industry experts. It unifies several existing security standards into one comprehensive framework, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, FISMA and AIA NAS9933.

Why is CMMC Certification Important?

The CMMC is business-critical for DIB suppliers because they will soon need to achieve CMMC certification at one of the five CMMC levels to participate in DoD contract awards.

The CMMC will gradually replace the DoD’s current cybersecurity compliance program, based on the DFARS, which began in 2015. This outdated approach mandates compliance with NIST 800-171 for all contractors, regardless of the type and volume of data they handle.

Many contractors, especially SMBs with limited resources, have been challenged to comprehend the NIST 800-171 requirements, let alone implement them. Others have either outsourced their compliance programs or employed significant expertise to sustain compliance in-house.

Overall, NIST 800-171 compliance has been lax, though the DoD has endeavored to make compliance a competitive advantage in the contract award process. Moreover, the DoD has stepped up DFARS enforcement, fining suppliers that have claimed to be compliant under the False Claims Act over $250 million in 2019.

The core issue that the DoD is looking to address with CMMC certification is companies falsely claiming compliance with its cybersecurity guidelines, whether intentionally or out of ignorance. By achieving CMMC certification, DoD suppliers will verifiably have appropriate cybersecurity processes and controls in place. CMMC also gives companies a way to assess the maturity of their current environment, as well as a roadmap for how to progressively improve their security postures.

Who Must Achieve CMMC 2.0 Certification?

Any organization—prime contractor or subcontractor—that participates in DoD contracts will need to achieve some level of CMMC certification in the next 9 to 24 months. Those that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI) will need CMMC Level 1 (Foundational) certification. Even companies that provide nontechnical services like custodial services will need to demonstrate CMMC Level 1 compliance, since by definition they handle FCI.

Businesses that handle CUI will need to be certified to at least CMMC Level 2, which directly corresponds to the “security maturity” already mandated by NIST 800-171 and the DFARS 7012 clause. Companies that “solely produce Commercial-Off-The-Shelf (COTS) products” purchased as part of a DoD contract do not require a CMMC certification, according to the DoD.

Companies like major prime contractors that handle the most sensitive non-classified information will be required to achieve CMMC 2.0 Level 3, formerly Level 5. Requirements for Level 3 are still TBD.

What are the CMMC 2.0 Certification Levels?

CMMC 2.0 organizes cybersecurity preparedness controls and processes into three maturity levels, which protect against progressively higher levels of risk to FCI and/or CUI. Each level incorporates the preceding levels; for example, attaining CMMC Level 3 certification means compliance with CMMC levels 1 and 2.

 

Here are brief descriptions of the three CMMC levels:

 

Foundational (Level 1) focuses on protecting FCI. It includes only 17 practices as specified in 48 CFR 52.24-21, Basic Safeguarding of Covered Contractor Information Systems. These include fundamental controls like using up-to-date antivirus software and providing staff with cybersecurity awareness training. Note that if you are subject to a FAR 52.204.21 clause in one or more contracts today, you are already responsible for implementing these controls.

Advanced (Level 2) focuses on protecting CUI. It includes all the 110 controls specified in NIST 800-171. To gain CMMC Level 2 certification, a business must show that it has documented and is actively managing cybersecurity policies and processes in alignment with an established plan. Organizations that are compliant with NIST 800-171 today should not find CMMC Level 2 certification to be a big hurdle.

Expert (Level 3) focuses on protecting CUI from multi-vector, state-of-the-art Advanced Persistent Threats (APTs) mounted by government-sponsored hackers. It requires the demonstrable ability to audit, optimize and standardize cybersecurity controls and processes. Demanding a robust security posture, CMMC 2.0 Level 3 will incorporate a to-be-determined set of additional controls from NIST 800-172, “Enhanced Security Controls,” which defines 35 controls beyond NIST SP 800-171. This will be a challenging level for many SMBs to meet with in-house staff and expertise.

What are the CMMC 2.0 Control Domains?

Until changes are announced, which seems likely given realignment with NIST 800-171, the CMMC 2.0 model still defines 17 control domains. Many of these are derived from NIST 800-171 and the associated security areas in Federal Information Processing Standards (FIPS) Publication 200 plus three additional domains (Asset Management, Recovery and Situational Awareness).

The 17 CMMC control domains are:

  1. Access Control—who has access to your systems (including remote access) and what are their roles and limitations?
  2. Asset Management—Can you locate, identify and inventory your assets?
  3. Audit and Accountability—Can you track the users who have access to your CUI, so they are accountable for their actions?
  4. Awareness and Training—Do all staff have security awareness training?
  5. Configuration Management—Do you have configuration baselines for your systems so you can gauge their effectiveness?
  6. Identification and Authentication—Does your organization have properly defined roles with appropriate data access levels, including processes for reporting and accountability?
  7. Incident response—Do you have an Incident Response Plan that documents how you will detect, report and respond to incidents, including post incident analysis?
  8. Maintenance—Do you have procedures in place to maintain and operate your cyber controls?
  9. Media Protection—Is your media identified and marked for quick access, and do you have media protection, transportation and disposal protocols in place?
  10. Personnel Security—Have staff been properly screened, and do you have controls in place to protect CUI during staff turnover?
  11. Physical Protection—Do you have provably adequate physical security protecting your assets?
  12. Recovery—Do you have a robust, tested process for making and logging backups to protect your sensitive data from data loss and damage?
  13. Risk Management—Do you have a process to periodically identify and assess risks to your FCI and/or CUI, including vendor-related risks?
  14. Security Assessment—Do you have a system security plan in place?
  15. Situational Awareness—Do you have a threat monitoring system in place?
  16. System and Communications Protection—Do you have verifiable control of communications at system boundaries?
  17. Systems and Information Integrity—Can you effectively monitor your environment to identify and mitigate vulnerabilities and flaws?

How Will Your Company Get CMMC Certified?

As announced recently under CMMC 2.0, the CMMC v1 pilot program is suspended. Those companies that are required to undertake a certification audit under the new CMMC 2.0 program will need to engage a Certified Assessor (CA) working for a Certified 3rd-Party Assessor Organization (C3PAOs). The CMMC Accreditation Body (CMMC-AB) still authorizes C3PAOs to schedule and conduct assessments for Organizations Seeking Certification (OSCs), though the DoD has announced that it will increase oversight of C3PAOs and the CMMC-AB itself going forward.

Since CMMC 2.0 certification will be a prerequisite for contract award, DIB companies that need to handle CUI should prepare now by achieving verifiable compliance with NIST 800-171. This will prepare you for a certification audit or self-attestation of compliance with CMMC Level 2.

If you don’t anticipate that your business will receive CUI as part of any contract you are competing for, you should prepare now to self-attest to compliance with the 17 controls defined in 48 CFR 52.24-21, Basic Safeguarding of Covered Contractor Information Systems. These are the controls required for compliance with CMMC Level 1 (Foundational).

 

While you cannot currently undergo a CMMC 2.0 assessment, you can begin taking steps to choose a C3PAO and plan an assessment for the future. You can also connect with a Registered Provider Organization (RPO) to engage a Registered Practitioner and advance your security program to set you up for successful CMMC certification. The DoD strongly encourages its suppliers to assess their CMMC readiness and enhance their cybersecurity postures while CMMC 2.0 rulemaking is underway.

Once CMMC 2.0 is fully in place, the DoD will have access to information and data related to assessments, including a company’s assessment results and final report. The DoD will store all self-assessment results in its Supplier Performance Risk System (SPRS) database. CMMC certificates and associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database, and a copy of a company’s CMMC certificate will automatically post to SPRS. Details of a company’s CMMC assessment will not be made public. 

What is the Current Timeline for the CMMC 2.0 Rollout?

According to current DoD guidance, implementing the CMMC 2.0 changes will require 9-24 months of rulemaking, to be completed between August 2022 and November 2023. The DoD is seeking changes to both Part 32 of the Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the CFR. Both these rule changes will include a public comment period.

Once the rulemaking is complete, CMMC 2.0 will become a contract requirement. DoD has not yet shared any plans for a phased rollout, which could mean many DIB suppliers will need to prove compliance sooner than under CMMC v1.

When Do You Need to Be Ready for a CMMC 2.0 audit or self-assessment?

While full enforcement of the CMMC 2.0 framework is still nine or more months away for most DIB companies, you should take steps immediately to become familiar with CMMC technical requirements and assessment programs. Many suppliers will need to invest significant time and effort (six months in many cases) to evaluate their current security postures and prepare for CMMC assessment at Level 2 or above.

Here are some commonsense steps your business can take now to help ensure a smooth CMMC certification process:

  • Determine what CMMC 2.0 level you will eventually need to attain.
  • Review the technical requirements for that level.
  • If you handle CUI, begin aligning your current environment with NIST 800-171, as this is mandated by the DFARS 7012 clause in current contracts and the DoD may ask you to demonstrate compliance at any time. Further, this will position you to quickly achieve CMMC Level 2 certification.
  • Connect with a trusted third-party information security consultant to get support for CMMC 2.0 planning, gap assessment and implementation if you plan to outsource some part of the process.
  • Check in with relevant vendors (e.g., email and file sharing service providers, cloud service providers) on their CMMC 2.0 and NIST 800-171 compliance status.
  • Conduct a CMMC 2.0 “readiness assessment” and/or “gap analysis” so you can prioritize next steps leading to a “remediation plan” or compliance roadmap.
  • Begin documenting your cybersecurity practices and policies as you’ll need to do this eventually if you handle CUI.
  • Start planning your budget for CMMC certification, including consulting fees, internal resourcing, software purchases, internal/external audit costs, etc.
  • Stay current with news and DoD announcements about the CMMC 2.0 requirements, rulemaking and rollout by checking online sources like the CMMC FAQ page and the CMMC-AB site.

 

Because primes are already looking at CMMC 2.0 and NIST 800-171 compliance when choosing capture teams, companies that are slow to respond to CMMC and/or fail to achieve certification based on their first assessment may be unable to participate in contracts or offer products and services to the DoD for some period of time.

Now is the time to get familiar with CMMC requirements, connect with compliance experts and start aligning your cybersecurity controls and policies with the CMMC 2.0 framework if you haven’t already done so. While CMMC Level 2 certification will be nontrivial for many DoD suppliers that are not working towards NIST 800-171 compliance already, the process will support adoption of cybersecurity best practices that all businesses must have in place today to assure customers, management and other stakeholders that they can protect sensitive data.

 

What are the Chances that You will Need a Third-Party CMMC 2.0 Assessment?

According to David McKeown, the DoD’s Chief Information Security Officer, about 40,000 companies will require a third-party assessment under CMMC 2.0. This is roughly 80% of the number of companies originally estimated to need a CMMC Level 3 certification under CMMC v1. Based on that guidance, if you handle CUI and will seek CMMC 2.0 Level 2 certification, chances are good (significantly better than 50/50) that your contract will mandate a third-party assessment.

 

Can You Participate in a Contract without Being CMMC 2.0 Certified?

Prior to CMMC v1, which eliminated them, organizations could submit Plans of Action & Milestones (POAMs) as part of their NIST 800-171 self-assessments under DFARS 7012. The intent of POAMs was to demonstrate that you had a plan and schedule for implementing the missing controls. The downside was that POAMs would reduce your self-assessment score in the DoD’s SPRS database.

With CMMC 2.0, POAMs are back, but in a more limited form. Now you will need to fully implement all the highest rated NIST 800-171 controls, based on the SPRS point system, prior to your assessment. DoD will also announce a minimum SPRS score that you must meet or exceed to achieve an “interim” CMMC 2.0 certification with POAMs. Beyond that, you may be able to use “time-bound and enforceable” POAMs to extend your timeline for implementing some of the less critical controls.

It’s likely that an interim CMMC 2.0 certification with POAMs will be good only for 6 to 12 months. If your POAMs aren’t resolved within that window, your interim certification will expire and your contracting officer may terminate the contract for default.

Another potential path to contract participation without CMMC 2.0 certification is the announced waiver process. In rare instances where the DoD deems a contract mission-critical but the supplier cannot achieve CMMC 2.0 compliance in time, a senior DoD official can waive the entire CMMC requirement for a set (and most likely brief) time period. A probable assumption is that any firm that obtains a waiver will then be subject to a third-party assessment. Another supposition is that waivers will most commonly apply at the highest maturity level, CMMC Level 3.