CMMC Compliance 101: What Every Business Needs to Know

In simple terms, the Cybersecurity Maturity Model Certification (CMMC) is an initiative launched by the Department of Defense (DoD) to protect sensitive, unclassified information from falling into the wrong hands. CMMC is a national security imperative, addressing increasingly frequent and sophisticated cyber threats that cost the defense industry $600 billion annually.  

While companies have been required to comply with cybersecurity standards under DFARS 7012 for nearly a decade, these requirements allowed for self-assessment and self-attestation. The major shift with CMMC, under DFARS 7021, is that a significant portion of the Defense Industrial Base (DIB) will now need to undergo an external assessment by a CMMC Third Party Assessment Organization (C3PAO). Those still permitted to self-assess will face closer monitoring, with an executive required to attest yearly that their organizations comply with the NIST 800-171 and/or other applicable requirements depending on the type of information they receive. 

With this article, we’ll take a deeper dive into the most commonly asked questions we get about CMMC 2.0 and the related regulations and compliance requirements that are going into effect for Defense Industrial Base (DIB) organizations. 

The Top Questions Asked About CMMC 2.0 Compliance 

1. What does CMMC stand for? What is CMMC? 

CMMC stands for Cybersecurity Maturity Model Certification. It’s a simplified cybersecurity program implemented by the Department of Defense. Its purpose is to protect sensitive unclassified information, known as Controlled Unclassified Information (CUI), stored, processed, or transmitted by DIB organizations. This framework was created to ensure anyone working with Department of Defense contracts has a safe environment that protects CUI from outside influences that want to steal or use that information. 

2. What is CMMC compliance? 

Becoming CMMC compliant means a DIB organization has met the necessary cybersecurity requirements based on its maturity level. For Maturity Level 1, which protects Federal Contract Information (FCI), there are 15 practices, and organizations can self-assess. Maturity Level 2 has 110 practices aligned with the NIST 800-171 r2 controls. While some companies that don’t handle sensitive CUI, as determined by the contract, may be able to self-assess, most will require a third-party assessment by a C3PAO. Maturity Level 3, which has 134 practices (including 24 additional controls from NIST 800-172), requires an external assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Organizations must ensure all practices are implemented and verified to maintain DoD contracts, avoid penalties, and protect sensitive information. 

3. What level of CMMC do I need? 

The level of CMMC compliance your DIB business needs depend on the contract solicitations you intend to pursue, as each contract specifies the required Maturity Level (ML). Additionally, the type of information your organization handles plays a role—whether it’s Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Handling CUI generally requires a higher level of protection. The three levels include: 

Level 1 (Foundational) 

This is the basest level and primarily focuses on companies that exclusively deal with FCI. Companies must follow the basic cybersecurity measures based on controls featured in the FAR 52.204-21. These help protect the covered contractors and limits access to only those with authorization. 

Level 2 (Advanced) 

For companies working with CUI, this is the minimum level they need to achieve. The requirements here mirror NIST SP 800-171 r2 controls. There are 14 levels and 110 controls in the NIST SP 800-171 r2. This protects the CUI stored and used by these DIB organizations. 

Level 3 (Expert) 

This is the highest level of security and is meant for DIB organizations that work with the DoD at the highest levels. The purpose of these controls and requirements is to combat Advanced Persistent Threats (APTs). The DoD has indicated that the requirements at this level will be the 110 controls of the NIST SP 800-171 with additional controls from the NIST SP 800-172. 

4. How do I get CMMC certification? 

First, familiarize yourself with the CMMC requirements relevant to your organization. You’ll need to develop a System Security Plan (SSP) and create internal policies to handle CUI securely. A self-assessment is sufficient for Maturity Level 1 (ML1), which applies to most DIB companies handling only Federal Contract Information (FCI).  

For Maturity Level 2 (ML2) and above, if your company handles more sensitive CUI, an external assessment by a CMMC Third Party Assessment Organization (C3PAO) may be required. After your self-assessment or third-party assessment, submit your score to the DoD’s Supplier Performance Risk System (SPRS). If any gaps are identified, address them through a Plan of Action and Milestones (POA&M). C3PAO certifications are valid for three years, but companies must annually verify they remain compliant. ML1 self-assessments are also required on an annual basis. 

5. Who needs CMMC certification? 

Organizations in the DIB sphere, who deal with DoD contracts or sub-contractors, need to comply with CMMC controls. The level of compliance depends on a number of factors, which are listed above. Not complying with these can result in loss of business, cancellation of contracts, and even potentially government fines. 

6. How does CMMC relate to cyber security? 

Much of the CMMC framework is based on cybersecurity. A majority of the rules involve having strict security around digital materials, their storage, transmission and use during collaboration. However, there are also controls around physical security and for training your organization and people.  The CMMC compliance structure is all about having the tight security the DoD is now requiring of contractors and subcontractors they work with. 

7. When does CMMC go into effect? 

CMMC 2.0 is expected to begin appearing in Department of Defense (DoD) contract solicitations once the second CMMC rule, CFR 48, is finalized—likely in Q2 2025. However, it will take three additional years before every new and renewed DoD contract requires CMMC compliance. The rollout will happen in phases, gradually expanding the number of affected contracts. Although full implementation won’t happen immediately, it’s crucial for businesses that rely on DoD contracts to start preparing now, as the certification process can take months or longer. 

8. What are the penalties for not being CMMC compliant? 

If your business relies on DoD contracts, failing to comply with CMMC can result in significant penalties, including the loss of existing contracts and exclusion from future opportunities. Additionally, there are legal risks under the False Claims Act if you falsely represent your compliance. Executives from your company will be required to attest to the accuracy of the reported SPRS score, meaning both the business and the individual executives could face prosecution by the Department of Justice for any false claims. Non-compliance can also damage your company’s reputation, potentially jeopardizing future contract opportunities. 

9. Does CMMC require GCC high?  What is GCC High? 

GCC High is a version of Microsoft’s cloud services designed to meet the strict security and compliance requirements for handling sensitive government information, such as Controlled Unclassified Information (CUI) and International Traffic in Arms Regulations (ITAR) data. While CMMC doesn’t specifically require GCC High, many contractors handling sensitive CUI use it to meet security requirements for cloud services.  

However, companies that rely on External Service Providers (ESPs), such as Cloud Service Providers (CSPs) or Managed Service Providers (MSPs), must ensure those providers have the appropriate CMMC and/or FedRAMP accreditations to help them meet CMMC practices. Your organization should carefully evaluate its cloud and service providers to ensure they align with the required standards for CMMC compliance. 

10. How many CMMC controls are there? 

When it comes to the CMMC maturity level 2, there are 110 practices that need to be met to continue to work with DoD contracts. These controls cover a wide range of security measures that companies must have to remain compliant.   

11. Is CMMC 2.0 finalized? 

While CMMC 2.0 is nearing completion, it has not yet been fully finalized. The process involves two key rules: CFR 32 and CFR 48. CFR 32 was published as a final rule and will become official on December 16, 2024.  CFR 48, which recently concluded its public comment period, is still under review. After the Department of Defense (DoD) updates CFR 48, it will be submitted to the Office of Management and Budget (OMB) for approval, followed by its publication in the Federal Register. Once published, the rule becomes official 60 days later, which likely means CFR 48 will be finalized by Q2 2025. Only after both rules are in place will CMMC begin appearing in DoD contract solicitations. Given the timeline, it’s crucial for DIB organizations to start preparing now for compliance. 

12. Is CMMC required? 

The short answer to this question is yes. While CMMC itself has not been official until now, the existing DFARS 7012 has required companies to self-assess and self-attest to compliance with NIST 800-171 for years. With the introduction of CMMC 2.0, DIB organizations will now face stricter enforcement through third-party assessments by C3PAOs. Any business handling Controlled Unclassified Information (CUI) must submit their assessment to the DoD and be certified for three years to continue securing or obtaining DoD contracts. Given the similarities between DFARS 7012 and DFARS 7021, companies should already be close to meeting the CMMC requirements, though many are not, which is why the DoD has introduced these tougher compliance measures.

13. What is the difference between CMMC and NIST 800-171?

CMMC builds on NIST SP 800-171, a security standard developed by NIST that outlines 110 controls for protecting Controlled Unclassified Information (CUI). Under DFARS 7012, companies were required to self-assess and self-attest to meet these controls, but this approach needed to be revised. CMMC Maturity Level 2 (ML2) aligns its practices with the 110 controls from NIST SP 800-171 but now requires most companies to undergo a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) to verify that these practices are properly implemented and maintained to be accredited. 

CMMC 2.0 is Coming and DIB Businesses Must be Compliant 

Although CMMC 2.0 has yet to be finalized by the DoD, the fact remains that it is coming and already, at the time of this writing, heading into the final phases of approval. Sometime in 2025, compliance will be mandatory, and proof of that compliance will be required for DIB suppliers in order to keep or continue to gain DoD contracts. Navigating this compliance can take months and be complicated. This is why companies have to start now. 

Of course, businesses do not need to do this alone or try to do the entire process on their own. Exostar’s CMMC Ready Suite helps provide a full suite of software and services that can help guide you and prepare you through the process and get your business set up to take the assessment that will determine your compliance. For details about our CMMC Ready Suite, and all it offers, visit our page and then set up a time to talk to one of our representatives for further details.