September 1, 2023

Reading Time: 3 minute(s)

What is CMMC Certification and What Does it Mean for Your Business?

September 1, 2023

Table of Contents

Last Updated on September 1, 2023

Cybersecurity and protection of controlled unclassified information (CUI) is a critical US Department of Defense (DoD) priority. To address longstanding security shortcomings and better enforce compliance across its supply chain, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program and assessment standard.

CMMC enforces the protection of CUI that the DoD shares with its prime contractors and subcontractors. Its intent is to increase DoD’s assurance that its suppliers’ information security controls and processes meet applicable standards and can adequately protect CUI.

3 main CMMC features

The CMMC 2.0 program has three main features:

A three-tiered model (CMMC Levels 1 through 3) that aligns security requirements with the type and sensitivity of the data an organization handles
A requirement that contractors allow the DoD or its representatives to verify their self-reported compliance with CMMC security controls
Implementation through the Defense Federal Acquisition Regulations Supplement (DFARS) 7012 clause and/or other DFARS clauses in certain DoD contracts

CMMC rollout timeline

The DoD recently completed its part of the CMMC rulemaking process. The draft rules are now with the Office of Management and Budget (OMB) for finalization, which may include one more opportunity for public comments.

Once CMMC rulemaking is complete and the program is fully implemented, DoD will require its suppliers that handle CUI or Federal Contract Information (FCI) to achieve a specific CMMC level as a condition of contract award. As of now, CMMC requirements could begin showing up in DoD contracts as soon as January 2024, and probably not later than October 2024.

What companies must achieve CMMC 2.0 certification?

CMMC 2.0 will be phased in over a three-year period. Eventually all suppliers doing business with the DoD will need a certification at the appropriate CMMC level, except those providing only commercial off-the-shelf (COTS) products. Initial contract award, continuance or renewal will depend on CMMC compliance, either self-attested or independently assessed.

The CMMC security controls are based on the NIST 800-171 security standard, which is currently undergoing a revision from Rev. 2 to Rev. 3:

Companies that handle only FCI and not CUI will need a CMMC Level 1 (Foundational) certification based on 17 controls from NIST 800-171 and validated by an annual self-assessment.
Organizations that handle CUI will need a CMMC Level 2 (Advanced) certification, which corresponds to the full set of NIST 800-171 controls. CMMC Level 2 certification will require a third-party (C3PAO) assessment every three years.
CMMC Level 3 (Expert), still under development, aims to protect the most sensitive forms of CUI from advanced persistent threats (APTs). It will be based on NIST 800-171 plus a subset of the requirements defined in NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. A CMMC Level 3 certification will require an assessment every three years, possibly by a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC ) audit.

How will CMMC impact my company?

Depending on your current degree of conformance to NIST 800-171, CMMC could have a significant impact on your company’s security posture, cybersecurity risk management process, and ability to validate to customers and other stakeholders that you can keep sensitive data secure. Ramping up security controls to achieve CMMC compliance could require significant time, planning, and resources for companies with a large “delta” between current and compliant security states.

Among the biggest challenges for some companies that handle CUI will be third-party assessments to verify CMMC Level 2 compliance. Many organizations will choose to work with a Registered Provider Organization (RPO) like CBIZ Pivot Point Security to ensure they upgrade their security posture efficiently and pass their assessment and achieve CMMC compliance on the first try.

There can also be negative impacts for firms that fail to comprehensively implement CMMC in line with DoD requirements. Non-compliant businesses will not be able to bid on DoD contracts, which could result in lost revenue and business opportunities. Businesses that falsely represent themselves as compliant with CMMC or NIST 800-171 could also face significant fines under the US Department of Justice’s False Claims Act.

What’s next?

For more guidance on this topic, listen to Episode 122 of The Virtual CISO Podcast with guest Warren Hylton from CBIZ Pivot Point Security.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

What is CMMC Certification and What Does it Mean for Your Business?

3 main CMMC features

CMMC rollout timeline

What companies must achieve CMMC 2.0 certification?

How will CMMC impact my company?

What’s next?

New CMMC V2 Certification Guide

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

How can we help you?

Services

Compliance

Insights

Pivot Point Security