Submitted by on

Home > Cybersecurity Maturity Model Certification (CMMC) Compliance

Cybersecurity Maturity Model Certification (CMMC) Compliance

Share this Page

Updated to Reflect Changes in CMMC 2.0

The U.S. Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) in January 2020 and updated it to CMMC 2.0 in November 2021. It is part of an ongoing effort to secure the DoD’s supply chain and The Defense Industrial Base (DIB).

Cybersecurity standards have been built into acquisition programs to assure that contractors and subcontractors meet DOD’s cybersecurity requirements. The CMMC was created to protect DIB contractors (i.e., the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements) from cybersecurity threats.

The effort to achieve CMMC compliance provides significant benefits to an organization from a security perspective.

CMMC is based on the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and NIST SP 800-172. The DoD partnered with experts in academia from Carnegie Mellon and Johns Hopkins Universities to develop CMMC.

What is CMMC Compliance?

CMMC Levels

CMMC measures cybersecurity maturity, or capability and progression within an organization's security program, with three levels. Each level has detailed processes and practices required for CMMC compliance.

To meet CMMC compliance requirements at one of the three levels, contractors must demonstrate achievement in the desired level as well as the lower levels. In addition, contractors “must demonstrate both the requisite institutionalization of process and the implementation of practice” (see diagram below).

Five levels of CMMC compliance

Because not all contractors require the same level of security, CMMC compliance requirements are in levels. DoD requests for information (RFI) and requests for proposal (RFP) include which CMMC compliance level is required for a given contract. Before consideration, a contractor will be audited by a third party and given a score based on the assessment.

CMMC 2.0 Levels

CMMC compliance levels take into account the form and caliber of controlled unclassified information (CUI) that contractors work with and require them to adhere to the level assigned to a project. The CMMC 2.0 compliance levels range from Foundational (Level 1) to Expert (Level 3).

What Is Controlled Unclassified Information (CUI)?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

CMMC compliance levels align with contractors’ cybersecurity practices and the sensitivity of information as well as the types and consequences of potential threats. The three CMMC compliance levels are:

  • Level one: Safeguard federal contract information (FCI)
  • Level two: Protect CUI
  • Level three: Protect CUI and reduce risk of advanced persistent threats (APT)

Level One: Foundational
Processes:  Performed - Required processes are performed ad hoc, sometimes without formal documentation.
Practices: Basic cyber hygiene - Basic safeguard requirements are met for the protection of FCI according to minimum CMMC compliance requirements.

Level Two: Advanced
Processes:  Managed - Requires demonstration that a plan has been developed, is being maintained, and has been provided the resources needed to manage CMMC compliance. Items in this plan may include goals, resources, training activities, and roles of stakeholders.
Practices:  Managing good cyber hygiene and security of CUI. This includes all security requirements specified in NIST SP 800-171.

Level Three: Expert
Processes: Optimizing - CMMC compliance process implementation is standardized across the organization with ongoing corrective actions and improvements.
Practices: Advanced / proactive - This includes a subset of NIST SP 800-172 requirements. Cybersecurity practices are in place to detect and respond to threats with a focus on protecting CUI from APTs. Tactics and techniques are modified to adapt to changing APTs. The depth and sophistication of cybersecurity measures are increased.

Who Must Comply with CMMC?

Any organization in the defense contract supply chain must be CMMC compliant.

Level two organizations are subject to triannual third-party assessments for critical national security information. Level three organizations are subject to triannual government-led assessments.

Organizations that satisfy CMMC compliance will be listed in the DoD database along with their level of certification.

CMMC compliance includes contractors who engage directly with the DoD and their subcontractors—hundreds of thousands of organizations. These include contractors in areas such as:

  • Critical infrastructure
  • Defense
  • Export control
  • Financial
  • Immigration
  • Intelligence
  • International agreements
  • Law enforcement
  • Legal
  • Natural and cultural resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and acquisition
  • Proprietary business information
  • Provisional
  • Statistical
  • Tax

The reach of CMMC is expansive. A DIB organization with FCI, even if it does not have or produce CUI, must meet the requirements for CMMC compliance at level one. The only exception to being CMMC compliant within the DIB sector is companies that solely produce commercial-off-the-shelf (COTS) products.

DoD gave contractors five years to meet the requirements set forth in the five levels for CMMC compliance. Since 2020, thousands of vendors have worked to understand just what is required of businesses to be CMMC compliant. Contractors that have not met the CMMC compliance requirements by 2025 risk not having DoD contracts renewed.

What is Required of Businesses?

CMMC compliance requirements are based on the certification level being sought. Each level builds on the previous one, meaning that level three must achieve the most stringent requirements as well as all of those set forth in the first two levels.

The level of certification required for a contractor to meet CMMC compliance requirements will be specified in the DoD’s RFIs and RFPs. The higher a contractor’s CMMC level, the more DOD contracts that are available.

DoD subcontractors are subject to the same CMMC compliance level as prime contractors. The level of CMMC compliance is dictated by the level specified in the contract and the information that is shared with subcontractors. For instance, a subcontract may only have to meet CMMC compliance requirements for a lower-level if their work is registered as less sensitive.

The CMMC compliance requirements are broken into 17 capability domains, each with specific capabilities, practices, and processes. The CMMC compliance capability domains are:

  1. 1. Access Control (AC)
  2. 2. Asset Management (AM)
  3. 3. Audit and Accountability (AU)
  4. 4. Awareness and Training (AT)
  5. 5. Configuration Management (CM)
  6. 6. Identification and Authentication (IA)
  7. 7. Incident Response (IR)
  8. 8. Maintenance (MA)
  9. 9. Media Protection (MP)
  10. 10. Personnel Security (PS)
  11. 11. Physical Protection (PE)
  12. 12. Recovery (RE)
  13. 13. Risk Management (RM)
  14. 14. Security Assessment (CA)
  15. 15. Situational Awareness (SA)
  16. 16. System and Communications Protection (SC)
  17. 17. System and Information Integrity (SI)

Understanding CMMC Requirements

CMMC requirements include:

  • Level one: 17  practices
  • Level two: 110 practices aligned with NIST SP 800-171
  • Level three: 110+ practices, based on NIST SP 800-172

CMMC Level One (Foundational) Domains, Capabilities, and Practices Requirements

At base, CMMC compliance requires foundational cyber hygiene and that security processes are performed—and annual self-assessments are required. Most of these standards are already met by existing federal contractors

There are 17 practices required for CMMC compliance at level one:

  • Access Control (AC)
    • Establish system access capabilities
      • AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices, including other information systems
    • Control internal system access
      • AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute
      • AC.1.003 – Verify and control and/or limit connections to and use of external information systems
    • Limit data access to authorized users and processes
      • AC.1.004 – Control information posted or processed on publicly accessible information systems
  • Identification and Authentication (IA)
    • Grant access to authenticated entities
      • IA.1.076 – Identify information system users, processes acting on behalf of users and devices
      • IA.1.077 – Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems
  • Media Protection (MP)
    • Sanitize media
      • MP.1.118 – Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse
  • Physical Protection (PE)
    • Limit physical access
      • PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
      • PE.1.132 – Escort visitors and monitor visitor activity
      • PE.1.133 – Maintain audit logs of physical access
      • PE.1.134 – Control and manage physical access devices
  • System and Communication Protections (SC)
    • Control communications at system boundaries
      • SC.1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems
      • SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
  • System and Information Integrity (SI)
    • Identify and manage information system flaws
      • SI.1.210 – Identify, report and correct information and information flaws in a timely manner
    • Identify malicious content
      • SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems
      • SI.1.212 – Update malicious code protection mechanisms when new releases are available
      • SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed

CMMC Level Two (Advanced)

To achieve CMMC compliance at the second level, the requirements of level one must be met along with the 110 security practices that are included in NIST SP 800-171—Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

CMMC Level 3 Domains, Capabilities, and Practices Requirements (Expert)

To achieve CMMC compliance at the third level, the requirements of level one and two must be met along with more than 110 of the security practices included in NIST SP 800-172— Enhanced Security Requirements for Protecting Controlled Unclassified Information.

CMMC Implications

For DoD contracts:

  • Compliance with NIST regulations for a baseline level of cybersecurity is only a minimum requirement for consideration of a bid 
  • CMMC compliance is a “Go/No-Go” proposal evaluation criterion 
  • CMMC Level two is likely required for most contracts
  • Primes are contractually responsible for the supply chain’s cybersecurity hygiene
  • Subcontractors will need to be certified

Preparing for a CMMC Audit

  • Assess the CUI Environment
    Determine which assets and systems are in scope, including all assets that directly or indirectly come into contact with Controlled Unclassified Information (CUI).
  • Determine Certification Level Required for CMMC Compliance
    Level one is for DoD contractors that do not generally deal with CUI. Level two includes some DoD contractors that handle CUI and some that do not.. Level  three is at the high end and applies to DoD contractors that need to protect CUI that’s targeted by sophisticated cyber adversaries (e.g., international crime syndicates, malicious nation-states) or advanced persistent threats (APTs). 
  • Readiness Assessment
    Determine which aspects of the cybersecurity program are already in place, and which ones require work, including people, systems, processes, and software. Extra attention should be paid to how CUI is stored, processed, and transmitted. It is also important to have a clear understanding of who is responsible for establishing and maintaining CMMC controls.
  • Identify Remediation Steps
    Assess risks associated with security gaps and quantify the steps needed to achieve compliance at the appropriate level.
  • Create a Compliance Roadmap
    Develop a plan to remediate security gaps based on priorities and resources.
  • Implement and Maintain Ongoing Monitoring
    DoD requires contractors to monitor systems on an ongoing basis and report incidents.

Win-Win with CMMC Compliance

CMMC compliance is an option for any contractor or subcontractor that works with the DoD. The tiered approach to CMMC compliance makes it achievable for most contractors, especially with the change in CMMC 2.0 that allows for more organizations to perform self-assessments, rather than having to undergo formal audits by 3PAOs.

The changes in CMMC 2.0 simplify the standard and provide additional clarity on cybersecurity, regulatory, policy, and contracting requirements. CMMC 2.0 aims to increase accountability for companies to implement and maintain effective cybersecurity programs, while reducing barriers to compliance with DoD requirements. Aligning the model with NIST also helps streamline compliance for organizations, since the overall technical requirements are similar.

Regardless of what it takes to achieve CMMC compliance, the effort will provide significant benefits to the organization from a security perspective. And, organizations can be confident that many current cybersecurity risks are addressed by adherence to CMMC 2.0’s standards, since CCMC 2.0 is aligned with NIST guidelines that are regularly updated to address the evolving cyberthreat landscape.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 20th January, 2022

Share this Page