Resources CMMC Compliance: Understanding the Requirements

The Cybersecurity Maturity Model Certification (CMMC) is a program designed and overseen by the United States Department of Defense (DoD). It sets criteria to measure the cybersecurity capabilities of defense contractors. In essence, CMMC provides a way to standardize defense contract acquisition, ensuring that defense contractors are prepared — from a cybersecurity standpoint — to handle sensitive data related to government and military contracts. Thus, CMMC compliance is vital for any contractor that works (or plans to work) with the U.S. Department of Defense.

Naturally, this begs a few important questions about the nature of Cybersecurity Maturity Model Certification. Namely, what constitutes CMMC compliance? What are the different levels of certification? Finally, what are the 17 domains tested during CMMC audits?

What is CMMC Compliance?

The standards within the CMMC program apply to all contractors and entities within the Defense Industrial Base (DIB). Every defense contractor must achieve CMMC compliance in order to secure contracts with the DoD. This way, sensitive information shared within the scope of a DoD project is secure at every level — from accounting departments to subcontractors.

In order to achieve CMMC compliance, you must get the stamp of approval from a CMMC auditor. Unlike many non-governmental contractors that can achieve cybersecurity certification through most third-party entities, all defense contractors must be audited by accredited C3PAOs listed on the CMMC-AB Marketplace. Any assessments performed by unauthorized auditors will not be considered legitimate for the purposes of CMMC compliance. Moreover, defense contractors are not allowed to seek out “self-certification” if they wish to conform to the most up-to-date CMMC protocols.

While standards are subject to evolve in accordance with changing technologies and cybersecurity concerns, CMMC compliance hinges on the existing DFARS 252.204-7012 standard. Additionally, the CMMC program requires contractors to meet trust and verification components that exceed the requirements set out in previous years.

CMMC Levels & Basic Domain Requirements

So, what do all of these terms and regulations actually mean for contractors in need of CMMC compliance? Like most cybersecurity standards, compliance for defense contractors is not black and white. This is due to the fact that there are various CMMC levels that reflect an audited contractor’s ability to adequately receive, store, and manage sensitive data. More specifically, there are 5 CMMC levels, often known as “maturity levels,” that can be assigned based on your organization’s performance during a CMMC audit:

CMMC Level 1 — Level 1 indicates that your organization performs the necessary requirements to qualify for a DoD contract. In essence, a Level 1 organization only meets the most basic standards set out in 48 CFR 52.204-21.

CMMC Level 2 — Level 2 indicates that an organization meets all of the same standards as Level 1 and has documentation to provide a guide to protocol implementation as specified by NIST SP 800-171. This level is often seen as a transitional stage between Level 1 and Level 3.

CMMC Level 3 — Level 3 indicates that an organization documents and maintains all of the necessary protocols dictated by NIST SP 800-171, plus 20 additional protocols to mitigate security threats.

CMMC Level 4 — Level 4 indicates that the same criteria as Level 3 are met and have been thoroughly tested for their effectiveness.

CMMC Level 5 — Level 5 is very similar to Level 4, with the difference that all security implementations have been standardized and tested across the entire organization.

These levels are also directly connected to each organization’s handling of Controlled Unclassified Information (CUI). However, the path to ensuring proper CUI management is not an exact science. Nonetheless, the CMMC program defines 17 domains through which defense contractors can bolster their cybersecurity practices and systems, thereby securing CMMC compliance:

  1. Access Control
  2. Asset Management
  3. Audit & Accountability
  4. Awareness & Training
  5. Configuration Management
  6. Identification & Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. System & Communications Protection
  17. System & Information Integrity

The Bottom Line

The DoD has strict standards when selecting defense contractors for various projects. Thus, without some level of CMMC compliance, you could be putting your organization at a huge disadvantage. Fortunately, achieving CMMC compliance simply requires a comprehensive cybersecurity plan to protect and manage CUI using the latest procedures. So, if you need help crafting a plan and implementing cybersecurity procedures for CMMC compliance, feel free to reach out to the experts at Security Rangers today!