Who Needs CMMC Certification?

Maintaining high levels of security for confidential information is critical to the mission of the U.S. Department of Defense (DoD), which has established rules and guidelines for the safeguarding of classified and controlled unclassified information (CUI). These security requirements are designed to prevent unauthorized access to sensitive information and to protect federal contract information (FCI) and CUI held by DoD contractors. Understanding the security requirements and certification process is essential for contractors who access the Defense Industrial Base (DIB) and who provide supply chain services for the Department of Defense. This article will detail who needs CMMC certification.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) went into effect on January 21, 2020. This rule outlined the basic security requirements for DOD contractors and was intended to ensure compliance with standards established by the National Institute of Standards and Technology (NIST). NIST Special Publication 800-171 (NIST 800-171) explains the requirements for protecting CUI and other sensitive data to comply with CMMC requirements.

Contractors and subcontractors must stay in compliance with the CMMC program to maintain access to CUI and other classified and unclassified information. The Defense Federal Acquisition Regulation Supplement (DFARS) also outlines requirements that are similar to those in NIST SP 800-171. Maintaining CMMC compliance is essential for DoD contractors and subcontractors if they want to continue to bid on government contracts.

CMMC was instituted to protect vital U.S. interests and data from unauthorized access and misuse by cybercriminals. By keeping CUI and FCI out of the hands of these unauthorized individuals, CMMC will protect national security and shield those who wish to do harm to the interests of the United States and the Defense Department.

CMMC 1.0 to CMMC 2.0: What Changed?

Initially, the CMMC program provided a general framework for managing CUI and other confidential information. In November of 2021, however, the DoD replaced the previous version of the CMMC program with CMMC 2.0, which upgraded some of the cybersecurity measures required for companies to become CMMC certified. Some of the most important changes to the program are listed here:

  • The program now features a tiered model that includes three maturity levels, each of which has its own requirements for assessing cybersecurity measures. Previously, five levels were established for contractors and subcontractors with DIB access.
  • The number of cyber domains was reduced from 17 to 14, with some reductions in the required number of cybersecurity practices under each of these domains. These include risk assessment, incident response, maintenance, personnel security, and access control as well as awareness and training requirements.
  • Depending on the level of information accessed by DoD contractors and subcontractors, an assessment by a CMMC third-party assessor organization (C3PAO) may be required for certification. For some contractors, a self-assessment may be sufficient to achieve compliance at the lowest CMMC level. However, access to more sensitive information on DIB networks may require a CMMC assessment performed by a C3PAO.
  • Waivers may be available for some companies that perform mission-critical activities on behalf of the Department of Defense. These will be awarded on a case-by-case basis, however, and should not be seen as a substitute for a robust cybersecurity plan.

For current DoD contractors and those interested in working with the Department of Defense in the future, taking steps to prepare for CMMC certification is a key step in qualifying for these contractual arrangements.

What Are the Levels of CMMC Certification?

Under the current regulations, contractors can be certified at three progressive maturity levels, each of which has its own requirements for assessment and compliance. The three levels are listed here:

  • CMMC Level 1: The Foundational level requires a basic implementation of cybersecurity measures that may or may not include documentation of best practices. A self-assessment is required annually to maintain Level 1 CMMC certification. This minimal CMMC level is required for all contractors who handle Federal Contract Information or who access information that is not intended for public release.
  • CMMC Level 2: Also known as the Advanced level of CMMC certification, Level 2 requires contractors to maintain documentation of their cybersecurity practices and consistent performance of tasks in accordance with these best practices. Contractors who access and use CUI are required to maintain Level 2 certification. If the contractor accesses sensitive data related to national security, it must undergo an assessment by a C3PAO every three years. Other contractors at Level 2 are required to perform annual self-assessments to maintain federal DoD contracts.
  • CMMC Level 3: The Expert level of certification under CMMC is the highest level under CMMC 2.0 and requires the creation and maintenance of a cybersecurity plan for contractors and the data they access. Contractors who handle CUI for top-priority DoD programs must comply with all Level 3 requirements, including the reporting of security incidents, the training of staff members, and the establishment of goals and cybersecurity measures in line with NIST SP 800-171 and other applicable requirements of DFARS and the Department of Defense.

Achieving and maintaining compliance with CMMC security requirements can allow companies to qualify for defense contracts while protecting sensitive data from unauthorized access or misuse. This can open up new avenues and revenue streams for companies that regularly do business with the Defense Department and that require access to federal contract information or controlled unclassified information to manage supply chain requirements and other necessary tasks.

Who Needs CMMC Certification?

Contractors within the DoD supply chain and their subcontractors are required to comply with the provisions of CMMC. The defense contract supply chain encompasses a wide range of industries and companies that require access to DIB networks and databases. Companies must comply with the security requirements of CMMC if they engage in any of the following activities:

  • Stores federal contract information or controlled unclassified information on a temporary or long-term basis
  • Receives sensitive data for Defense Department contracts
  • Processes sensitive information related to contracts with the Department of Defense
  • Transmits data in conjunction with defense-related contracts

Evaluating the types of information your company will access as part of its defense contract is essential to determine the appropriate level of CMMC certification for your business. Working with a company that offers guidance and support on creating a robust cybersecurity stance for your organization is often the first step in meeting the requirements for CMMC certification.

How to Get Certified

To begin the CMMC process, you will need to complete some basic steps to improve your cybersecurity posture and to demonstrate your company’s ability to safeguard sensitive data. Some of the most important steps are listed here:

  • Develop a plan: You will need to create a security plan for defense data and perform a self-assessment by NIST SP 800-171 standards.
  • Adjust your processes: If improvements can be made in your cybersecurity, you should do so to increase your self-assessment score before submitting it to the Supplier Performance Risk System.
  • Enlist the help of a cybersecurity company: Obtaining an outside assessment of your security posture can help you to identify issues with your cybersecurity and to address these problems before undergoing C3PAO assessment.
  • Select a C3PAO: Finding a qualified C3PAO to perform your assessment is a key step in the process of certification.
  • Undergo the assessment: The company you have chosen will perform your assessment and will provide you with any improvements that are required to achieve certification. If your C3PAO offers recommendations for improvement, you will have 90 days to fix any issues and qualify for certification.

Certification under the CMMC program can allow your company to participate in profitable defense contracts. Finding the right partner in managing the cybersecurity requirements of this program can be a great first step toward success in qualifying for defense contracts now and in the future.

How Meriplex Can Help

At Meriplex, we specialize in providing the most advanced cybersecurity options for our clients. Our team can offer security consulting and can assess your current posture as it relates to the CMMC program. We can help you with services tailored to suit your needs and to put you in compliance with all aspects of CMMC assessment and certification requirements. Some of the most important services we offer are listed here:

  • Consulting and assessments: Identifying weaknesses in your current cybersecurity measures is one of the first steps necessary in upgrading your security to comply with CMMC requirements. At Meriplex, we can provide you with compliance assessments that can pinpoint gaps in your security and help you in safeguarding sensitive data.
  • Managed detection and monitoring: Tracking access to data and creating proactive responses to risks is another way that your company can prepare for CMMC assessments by C3PAOs.
  • Security plans and documentation: Meriplex can help you create a workable security plan and streamline the documentation of security events.

To learn more about how Meriplex can help you prepare for CMMC certification and DoD contracts, contact us today. We are here to help you achieve the most appropriate cybersecurity posture now and in the future.