An Introduction to CMMC Compliance

On January 31st, 2020, the Department of Defense (DoD) announced the release of the Cybersecurity Maturity Model Certification (CMMC), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (DIB), as it relates to Controlled Unclassified Information (CUI) within the supply chain. The CMMC functions as a verification mechanism to ensure proper cyber hygiene is present within DIB suppliers. Cyber hygiene refers to an organization’s ability to safeguard sensitive defense data handled on a regular basis. These expectations were defined in the Defense Federal Acquisition Regulation Supplement (DFARS), in which organizations were required to self-attest to (and which many DIBs failed to do).

DFARS outlined specific security requirements for suppliers under a self-attesting framework. The DoD stressed the importance of adopting NIST SP 800-171 standards under DFARS to secure contracts, but many suppliers were not truly complying with requirements. Instead, many falsely attested their compliance, and security became less effective. Not only did these false attestation claims slow the adoption rate, but they also elevated network risks. These non-compliant suppliers increased the risk to national security, which resulted in the DoD falling victim to several breaches. As a result, the DoD worked with the DBI sector and the CMMC was created.

Another significant difference between CMMC and DFARS is that CMMC is not a self-attesting framework. CMMC Third-Party Assessment Organizations (C3PAOs) are the entities responsible for performing audits. They hold the ability to certify an Organization Seeking Certification (OSC) at the appropriate level, meaning CMMC requirements must be actively fulfilled for certification. To become CMMC compliant is not an easy task that can be accomplished in a short period of time. Some estimates state that it may take at a minimum six months to achieve CMMC Level 3 or higher. However, this estimate is based on assumptions and a more conservative timeline may be between eight to twelve months, depending on the size and maturity of each organization.

Understanding that organizations will need time to adhere to new requirements outlined within the CMMC framework, CMMC has employed a crawl, walk, run model towards implementation, with fiscal year 2026 being the target date that all DoD contracts require CMMC certification before being awarded. Since the CMMC framework is much more complex and demanding, organizations should consider beginning certification readiness activities now. Not only does compliance to this standard dictate an organization’s ability to secure contracts as a supplier when required by the DoD, but it also defines their efforts to preserve national security as a whole. Below is a breakdown of each maturity level and the practices and processes that organizations must adhere to in order to be awarded contracts at that specific maturity level:

The main goal of CMMC is to enhance protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain. If your organization handles either of these two data types, the expectation is that you adhere to all CMMC maturity level requirements. As an organization, you may not need level 5 certification in order for you to bid on certain types of contracts. However, all contracts are set to eventually require certification at a specific level to win the opportunity, and organizations need to start preparing sooner rather than later in order to secure those contract bids.

Compass IT Compliance is extremely well-versed in the DoD contract realm, having spent the past decade assisting organizations in meeting compliance with DFARs and NIST 800-171. Our team of senior industry experts are early adopters of the CMMC program, closely following its development and rollout from day one. We are a CMMC Registered Provider Organization (RPO) and have the tools and expertise to make your CMMC audit preparation seamless and stress-free. Contact us today to discuss your unique situation!