Navigating the Cybersecurity Maturity Model Certification (CMMC): A Crucial Step for Defense Contractors

In an increasingly digital world, cybersecurity has become a top priority for organizations across all sectors. However, for those involved in the defense industrial base (DIB), ensuring robust cybersecurity measures is not just a matter of best practice—it’s a mandate. The Cybersecurity Maturity Model Certification (CMMC) 2.0 program, introduced by the United States Department of Defense (DoD), stands as a pivotal framework to fortify the cybersecurity defenses of organizations handling sensitive government information.

Understanding CMMC 2.0

The CMMC 2.0 program represents a unified standard for implementing cybersecurity across the defense industrial base (DIB). It is designed to enhance the protection of controlled unclassified information (CUI) and federal contract information (FCI) within the DIB supply chain. CMMC 2.0 replaces the outdated self-attestation model with a tiered approach to cybersecurity maturity, ensuring that contractors and subcontractors meet specific security requirements commensurate with the sensitivity of the information they handle.

CMMC 2.0 consists of three maturity levels, each building upon the requirements of the previous level:

Level 1: Foundational

This applies to companies which focus on the protection of Federal Contract Information (FCI). It will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information. These controls protect contractor information systems and limit access to authorized users.

Level 2: Advanced

This applies to companies working with CUI; it will require companies to implement and maintain all 110 controls found in NIST SP 800-171 developed by the National Institute of Technology and Standards (NIST) to protect CUI.

Level 3: Expert

This level is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on the DoD’s highest priority programs. The DoD is still determining the specific security requirements for Level 3 (Expert) but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls, making for a total of 130 controls. These 130 controls will align with the same 14 control families in NIST 800-171, with the 20 additional controls coming from NIST 800-172.

Who Needs to Comply?

Any organization or entity seeking to participate in DoD contracts will eventually need to comply with CMMC 2.0 requirements. This includes prime contractors, subcontractors, suppliers, and anyone else in the DIB supply chain who handles controlled unclassified information (CUI) or federal contract information (FCI). Compliance with CMMC 2.0 is essential not only for securing contracts but also for safeguarding sensitive government information and ensuring national security interests.

In conclusion, the Cybersecurity Maturity Model Certification CMMC 2.0 program represents a critical milestone in bolstering the cybersecurity resilience of the defense industrial base. Compliance with CMMC requirements is not just a legal obligation; it’s a strategic imperative for organizations seeking to participate in DoD contracts and uphold national security interests. Early compliance with CMMC is not only advantageous but essential for maintaining a strong foothold in the defense contracting arena and contributing to the overall security posture of the nation.

A Third-Party Assessor (C3PAO) will need to audit the majority of assessments at Level 2. McKonly & Asbury will begin performing those CMMC assessments beginning in 2025. Exact dates will not be known until the final rule for CMMC 2.0 is approved. For more information on these services please visit our Cybersecurity Maturity Model Certification Service page and contact our team with any questions.

About the Author

Related Services