The first thing we need to consider is “How did CMMC come about?
The first thing to emphasize is that CMMC is not new. It has been around since 2017. CMMC has undergone a litany of modifications over the years; ranging from basic to complex. The program has received a lot of opposition, with many organizations reluctant to embrace change. However, on December 16, 2024, 32 CFR Part 170 was ratified by the US Congress and made the law of the land for the Department of Defense and its supply chain.
What does this mean for the Defense Industrial Base (DIB)? 32 CFR Part 170 establishes the CMMC program for the Department of Defense. It outlines the requirements for defense contractors and subcontractors to implement cybersecurity standards for protecting Federal Contract information (FCI) and Controlled Unclassified Information (CUI). 32 CFR Part 170 officially creates the CMMC program within the DoD, providing a standardized framework for cybersecurity. It specifies the different levels of CMMC Certification, from one to three. The rule details how compliance is monitored and how non-compliance will be addressed. It aligns with existing standards: NIST SP 800-171 r.2 and NIST SP 800-172. It sets the stage for how assessments of contractor cybersecurity practices will be conducted, including self-assessments and third-party assessments. Finally, 32 CFR applies accountability for companies that misrepresent their cybersecurity practices or violate reporting obligations.
What are the considerations for the future state of CMMC?
To properly prepare for CMMC, organizations must understand and comply with 32 CFR Part 170 along with 48 CFR, which is trailing 32 CFR. The expectation of 48 CFR’s release was estimated to be in Q2 of 2025 but with the change in the Executive Branch in January of 2025 certain delays were inevitable. It is now commonly accepted that the 48 CFR rule will be in effect in the September to October period. This will open the door to the following actions:
- Mandatory CMMC Certification
- The 48 CFR rule mandates CMMC certification as a prerequisite for winning DoD contracts. This is a significant change from previous regulations where CMMC compliance was often optional or not explicitly required.
- Flow-Down Requirements
- The rule includes a "flow-down" requirement, meaning that CMMC compliance must extend from prime contractors to all subcontractors within the supply chain. This ensures that all parties handling sensitive information meet the required security standards.
- Impact on Contracts
- The 48 CFR rule is integrated into the Defense Federal Acquisition Regulation Supplement (DFARS)and will affect all DoD solicitations and contracts above the micro-purchase threshold, except those solely for commercially available off-the-shelf (COTS) items.
- Consequences of Non-compliance
- Failure to comply with the 48 CFR rule and obtain the necessary CMMC certification will likely result in the inability to win or maintain DoD contracts.
- Scope of Impact
- The 48 CFR rule affects contractors and subcontractors working with the DoD, including those processing, storing, or transmitting FCI or CUI. This includes businesses involved in various aspects of the defense supply chain, such as IT service providers and software developers.
Essentially, the 48 CFR rule will strengthen cybersecurity within the defense industrial base by making CMMC certification a standard requirement for contractors and subcontractors. This will eliminate the ambiguity that many organizations leverage to avoid complying with the CMMC Framework. It is more imperative now than ever before to protect the intellectual property of the United States of America, and ultimately the safety of the American military. CMMC has been developed to ensure the ongoing safety of the United States.
What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) was created to assess and strengthen the cybersecurity posture of Department of Defense (DoD) suppliers who handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC is comprised of 14 domains (e.g. Incident Response, Access Control, Media Protection, etc.). Each domain is comprised of objectives, with 320 in total. Those already familiar with NIST SP 800-171 security requirements will recognize a high degree of overlap between the CMMC body of control practices and NIST SP 800-171 objectives (110). This overlap often prompts the question, “How is CMMC different from NIST SP 800-171?”
How is CMMC different from NIST SP 800-171?
CMMC differs from NIST SP 800-171 in two basic ways. First, CMMC also incorporates control practices from NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2, amongst others. Second, CMMC goes beyond a self-assessment approach to assurance and requires certification by an accredited Third-Party Assessor.
What are the CMMC maturity levels?
It is important to understand CMMC’s maturity levels model. CMMC establishes three maturity levels. Level 1 protects Federal Contract Information (FCI). There are 17 practices that represent Level 1. Those practices produce a maximum Supplier Performance Risk System (SPRS) score of 63. Level 1 is the only level that can be self-attested too. While this can be accomplished internally, it is highly recommended that Organizations Seeking Assessment (OSA’s) should solicit expert assistance on their first self-attestation.
Level 2 protects FCI and Controlled Unclassified Information (CUI). This level includes 110 practices to protect CUI (with 320 objectives as sub-sets) that are identical to the 110 controls of NIST SP 800-171. These controls produce a Supplier Performance Risk System (SPRS) score of 110. Level 2 is a complex and rigorous standard that should be developed with the help of subject matter experts (CMMC Certified Professionals and CMMC Certified Assessors).
Finally, Level 3 involves expert cybersecurity practices. This level includes a subset (24 practices) from NIST SP 800-172. The Department of Defense (DoD) conducts these assessments solely. The final guidance on Level 3 is still being developed and has not been implemented at the time of this writing. Level 3 is subject to change, but it will be more stringent than any other requirements in the cybersecurity space for the defense industrial base supply chain.
What level of CMMC does my organization need to meet?
As organizations familiarize themselves with the three CMMC maturity levels, the inevitable question becomes, “What is the appropriate level we should align our practices with?” The definitive answer to that question will be provided by the DoD in their Requests for Information (RFIs) and Requests for Proposals (RFPs). In the absence of active RFIs and RFPs, consider the nature of the data your organization intends to handle in its engagements with the DoD. If your organization only plans to handle FCI, Level 1 certification is sufficient, since that level is designed to meet 48 CFR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems. To handle CUI, an organization will need to achieve Level 2 certification. Finally, organizations that will need to achieve Level 3 certification will be informed by the DoD.
After identifying the targeted maturity level, you need to assess the complexity of your organization to gauge the level of effort required to be certified at that level. Aspects of your organization that you should consider include the size of your workforce, the number of locations, your organizational structure (e.g. single entity or parent/subsidiaries), the design of the infrastructure where the CUI is to be processed and the use of third parties. Some organizations are so complex that it may be easier to spin off a separate line of business dedicated to DoD work where more stringent information security practices are implemented, rather than try to elevate the practices of the entire organization.
Creating a plan of action for CMMC compliance
Given the complexity of CMMC, establishing a CMMC compliance program can feel overwhelming. By taking a methodical approach and developing a solid plan, this burden can be greatly reduced.
The first step in this journey is to identify the maturity level your organization will target (or knows will be required). Once you have this, review the required practices of each domain for that level and begin an assessment of your organization’s current practice against these requirements. Start with assessing the design of your current controls against CMMC specifications by reviewing your existing policies and procedures. If your organization has already aligned its practices to NIST SP 800-171, leverage the output of prior audits against that framework. Identify gaps in this documentation, update where needed, and notify appropriate parties of relevant changes to policies and procedures. After implementing changes to fill gaps, conduct an internal audit to assess the efficacy of your controls in meeting CMMC requirements. Capture findings, update policies and procedures, and then reassess them.
The most effective way to conduct the above-mentioned internal assessment is with a GRC software tool. There are many solutions in the marketplace and our recommendation is for you to choose the one that meets your needs and budgetary requirements (we are happy to advise you on this decision). Utilizing a GRC software tool will allow you to build a foundation of proof and create an ongoing record of compliance. This is the core requirement of CMMC, and it is right there in the center of the name “Maturity Model”.
If your organization does not have the experience necessary to tackle this problem or the bandwidth necessary to build and execute this plan of action, LRQA is at your disposal. We have the resources, experience, and SME knowledge necessary to guide your organization along this cybersecurity journey.