Key Takeaways
- The CMMC framework consists of three certification levels, each with distinct security requirements and assessment processes.
- Contractors handling Controlled Unclassified Information (CUI) must meet NIST SP 800-171 controls, with third-party or government assessments required at higher levels.
- Maintaining compliance requires annual affirmations, adherence to assessment timelines, and proper cybersecurity documentation.
Introduction
The Cybersecurity Maturity Model Certification (CMMC) is a critical framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). With increasing cyber threats, the Department of Defense (DoD) has mandated that contractors meet specific cybersecurity standards to secure sensitive information. This guide breaks down the CMMC certification levels, assessment types, and compliance requirements to help contractors prepare for certification.
Need more context on why CMMC exists? Read our overview.
Overview of CMMC Levels
The latest version of the CMMC framework includes three levels, each with distinct cybersecurity requirements and assessment criteria.
Level 1 (Self-Assessment)
- Purpose: Focuses on basic cybersecurity hygiene to protect FCI.
- Requirements: 15 security practices aligned with FAR 52.204-21.
- Assessment: Annual self-assessment with results entered into the Supplier Performance Risk System (SPRS).
- Plan of Action & Milestones (POA&M): Not permitted.
- Affirmation: Required annually in SPRS.
Level 2 (CUI Protection) – Two Assessment Types
- Purpose: Protects CUI by meeting NIST SP 800-171 requirements.
- Requirements: 110 security controls from NIST SP 800-171.
- Assessment Options: Either Level 2 (Self), which is allowed for some contractors and requires self-assessment every three years; or Level 2 (C3PAO), which applies to most contractors and requires a CMMC Third-Party Assessment Organization (C3PAO) assessment every three years.
- POA&M: Permitted with a 180-day closure requirement.
- Affirmation: Required annually, submitted to SPRS.
Level 3 (Advanced CUI Protection – Government Assessment)
- Purpose: Enhances security for high-priority DoD programs and advanced persistent threat (APT) protection.
- Requirements: 110 security controls from NIST SP 800-171, plus 24 additional controls from NIST SP 800-172.
- Assessment: Conducted every three years by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
- POA&M: Allowed with a 180-day closure requirement.
- Affirmation: Required annually, must maintain Level 2 (C3PAO) status.
Differences Between Assessment Types
1. Self-Assessments (Level 1 & Level 2 Self)
- Conducted internally.
- Results recorded in SPRS.
- Required annually.
2. Third-Party Assessments (Level 2 C3PAO)
- Performed by an accredited CMMC Third-Party Assessment Organization (C3PAO).
- Required for contracts involving sensitive CUI.
- Results stored in CMMC eMASS.
3. Government Assessments (Level 3 DIBCAC)
- Conducted by DIBCAC for high-priority programs.
- Evaluates additional NIST SP 800-172 controls.
- Results entered into eMASS.
Learn how government-led assessments impact defense contracts here.
What Contractors and Subcontractors Need to Know
1. Compliance Timeline
- CMMC implementation is phased over four years.
- By the end of 2025, all applicable DoD contracts will require CMMC certification.
2. Flow-Down Requirements for Subcontractors
| Prime Contractor Requirement | Minimum Subcontractor Requirement |
|---|---|
| Level 1 (Self) | Level 1 (Self) |
| Level 2 (Self) | Level 1 (Self) for FCI, Level 2 (Self) for CUI |
| Level 2 (C3PAO) | Level 1 (Self) for FCI, Level 2 (C3PAO) for CUI |
| Level 3 (DIBCAC) | Level 1 (Self) for FCI, Level 2 (C3PAO) for CUI |
Need a clearer way to manage each CMMC level's controls?
Sign up to receive updates on our upcoming compliance platform. We’ll help you and your team collaborate more efficiently and stay on track for every requirement. Get Started
3. Maintaining Compliance
- Contractors must maintain an active CMMC certification throughout the contract period.
- Annual affirmations are required for all levels.
- Non-compliance may result in loss of contract eligibility.
4. Preparing for Assessment
- Develop and maintain a System Security Plan (SSP) aligning with NIST SP 800-171.
- Conduct a gap analysis using CMMC Dashboard to identify deficiencies.
- Use a POA&M to address temporary security gaps.
- Work with a C3PAO (if required) for certification.
Conclusion
CMMC compliance is essential for any contractor in the DoD supply chain. Understanding the three levels of certification, assessment types, and flow-down requirements ensures readiness for upcoming contracts. Organizations should begin implementing security controls now to secure their compliance status before the 2025 deadline. Utilizing compliance tools such as a CMMC dashboard can streamline the process, helping organizations efficiently manage their security posture and certification status.
Stay on top of your CMMC obligations. Subscribe now to be notified when our portal launches, and discover how we can make the certification process faster and more cost-effective for your entire organization.
