On December 26, 2023, the Department of Defense (DoD) released a proposed rule — 32 CFR Part 170 — to ensure DoD contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement security requirements outlined in Cybersecurity Maturity Model Certification (CMMC) 2.0. The CMMC final rule was published in the Federal Register on October 15, 2024, with an efficacy date of December 16th.
DoD also intends to amend DFARS to align with 32 CFR Part 170 in a separate proposed rule — DFARS Case 2019-D041 — published in the Federal Register on August 15, 2024. The proposed rule aims to change the DFARS to incorporate CMMC-related contractual requirements.
Once these rules are effective, most defense contractors handling sensitive material will need to demonstrate compliance with a specific CMMC level to bid on DoD work or renew contracts. However, the DoD plans to roll out CMMC requirements in four phases over the span of three years to give contractors time to learn and adopt CMMC.
Currently, contractors handling FCI must adhere to clause 52.204-21 in the Federal Acquisition Regulation (FAR), which lists 15 basic security controls. Defense Industrial Base (DIB) companies dealing with CUI generally comply with clause 252.204-7012 in the Defense Federal Acquisition Regulation Supplement (DFARS), which requires implementing the security requirements in the National Institutes of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
CMMC is based on NIST SP 800-171 — something DIB companies have been self-attesting for years, so the practices required under CMMC are not new. What CMMC brings to the table are new self-attestation and third-party assessment requirements against NIST SP 800 171.
Did we lose you? We get it — CMMC is complex and difficult to navigate without guidance. We’ll break it down and illustrate that compliance is attainable — but it’s crucial to act ASAP.
CUI is sensitive information owned or created by the government that requires safeguarding and dissemination control. CUI doesn’t quite meet the requirements to be considered classified, but it’s still material that could threaten national security without adequate protection.
An example of CUI is technical documentation, which includes requirements, designs, and specifications that describe a widget being developed for the federal government. CUI can be wide-ranging because it can apply to any insight that might give an adversary knowledge about DoD operations, programs, technology, or intentions.
CMMC encompasses security requirements for handling FCI and CUI, structured around different certification levels. It was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment in partnership with DoD and other stakeholders. The first version featured five levels, while version 2.0 has three.
The purpose of CMMC is to protect sensitive, unclassified information against threats, especially cyber threats, to safeguard national security. It includes practices based on or aligned with the security requirements from NIST SP 800-171.
In short, if you do business with DoD, you need to comply with CMMC. Specifically, if you store, transmit, or process CUI or FCI on a non-federal system, you will most likely need to achieve compliance with one of its levels.
For most DoD contracts, CMMC will be implemented as new contracts are solicited and awarded after the CMMC and DFARS final rules become effective. CMMC will be required for all prime and subcontractors, so if you are a sub you will need to work with your prime to understand who is responsible for what.
For example, if you have a contract that is currently in place but is up for recompete in 2025, that is when CMMC will likely come into scope for your organization. When you submit your proposal, you will also submit proof of your compliance with CMMC. That means if your organization is not already meeting the standard, you need to begin preparing for implementation now. Preparing for a third-party CMMC assessment can take several months, depending on your organization’s needs. Planning, scheduling, and undergoing the actual assessment also takes time.
Keep in mind that if your organization fails its CMMC assessment, you will not be able to bid on DoD work. Be sure to schedule your assessment far enough in advance, so you have recovery time if you need to plan a second assessment or address CMMC-related minor fixes, called Plan of Actions and Milestones, or POA&Ms.
Phase 1 of CMMC Program implementation begins when the 32 CFR Part 170 rule becomes effective on December 16, 2024. It will end one calendar year later, at which point Phase 2 will begin.
During Phase 1, the DoD can add CMMC requirements to requests for proposals or contracts for any work that will be awarded or begin at the start of Phase 2. In other words, a requirement to have CMMC Level 2 can be added starting December 16, 2024, as long as the requirement isn’t enforced until December 15, 2025.
The DFARS 48 CFR rule, which requires the use of a third-party assessment organization, is anticipated to be published in March 2025. The requirement to use a third-party assessor isn’t yet known but will be either six months or one year after the final 48 CFR rule is published.
DoD found that while DIB companies were required to self-attest that they had implemented all of the practices in NIST SP 800-171, many did not, despite a positive independent attestation. This led to weak cybersecurity at many DIB companies, resulting in ongoing theft of intellectual property and government unclassified materials.
For companies only handling FCI, self-attestation is all that will continue to be required. However, with the implementation of CMMC, this self-attestation will need to come from a company official with legal ramifications in place for both the attesting company official and the company itself if the self–attestation is false.
For companies handling CUI, a CMMC third-party assessment will be required. A third-party assessor is known as a C3PAO, which stands for CMMC Third Party Assessment Organization. C3PAOs are certified by The Cyber AB — the official CMMC and DoD-authorized accreditation body. There are not a lot of C3PAOs approved to conduct assessments at this time, so if your organization wants or needs to have a CMMC third-party assessment sooner rather than later, we advise contacting a C3PAO ASAP to get on the schedule.
The CMMC level you need to achieve depends on the type of information you handle, how sensitive it is, and your contractual clauses. CMMC 2.0 has three levels:
If you handle FCI and not CUI, you will require a CMMC Level 1 self-assessment. Remember that FCI is any Federal Contract Information, so if you have a contract with DoD or are a subcontractor to a DoD prime contractor, you are in-scope for CMMC and will need to self-attest that you meet the 15 NIST SP 800-171 practices in CMMC Level 1.
Companies that have a low risk of ever encountering CUI, like those doing landscaping or serving food at a DoD facility, will likely never have to leave CMMC Level 1.
CMMC Level 2 is for any DoD contractor or subcontractor that handles CUI. Level 2 brings all 110 NIST SP 800-171 practices and DFARS 252.204-7012 security requirements into scope. It requires a CMMC Level 2 C3PAO Assessment, which means an accredited outside organization must assess your CMMC Level 2 implementation.
CMMC Level 2 is a prerequisite for Level 3. Contractors needing to achieve CMMC Level 3 must meet all of Level 2’s requirements, plus 24 enhanced security requirements from NIST SP 800-172. The DoD has said that only a small subset of DIB companies will require it, but those that do will need a CMMC Level 2 third-party assessment for the NIST SP 800-171 practices and a direct federal government assessment for the NIST SP 800-172 practices.
Implementing CMMC and preparing for an assessment is best achieved in steps. Each step takes time, which varies depending on your current general security and cybersecurity posture and the challenges your organization faces.
Let’s imagine you want to reach compliance within a year. Here’s an optimistic overview of what your CMMC journey might look like:
Review your existing contract or consider the type of information you usually handle. Do you work with FCI or CUI? Learn about the different levels of CMMC and determine which one applies to your organization.
Understanding complex CMMC requirements and addressing gaps can be challenging, costly, and time-consuming for DIB companies. Partnering with a CMMC expert to prepare for an assessment can be the most cost-effective, low-risk option.
An experienced CMMC consultant can help your organization understand relevant CMMC requirements and assist you in creating a clear, practical path to compliance.
With the guidance of a CMMC consultant or experienced C3PAO, conduct a CMMC gap analysis, which involves evaluating and comparing your current security controls to CMMC requirements. A CMMC consultant can perform a gap analysis for you and ensure it’s done accurately and thoroughly.
To understand what a gap analysis might entail, refer to the requirements in NIST SP 800-171 since these are part of CMMC.
Whether you work with a consultant or tackle CMMC on your own, you’ll need a strategy for addressing cybersecurity gaps. Make sure your plan includes how you’ll implement security controls and the resources required. Aim to prioritize the highest-risk gaps.
Allocate resources to implement the security controls in your plan. Ensure organizational policies and procedures are updated to reflect the implemented controls. For DIB companies, this may mean integrating the controls into the Security Standard Practices Procedures (SPP), Insider Threat Plan (ITP), and other documents required by the Defense Counterintelligence and Security Agency.
Employees will need to be trained on how to maintain CMMC compliance. Determine the roles and responsibilities of employees involved in your CMMC compliance journey and ensure they’re trained accordingly. Integrate these requirements into your company policies and employee training program, especially for new employees.
Plan to continually monitor and evaluate the CMMC-aligned security controls you implemented to make sure they’re effective. Consider performing an unofficial self-assessment to see where you stand before contacting a C3PAO. Use the DoD’s CMMC Self-Assessment Guide for assistance.
Select a C3PAO to assess your CMMC compliance at the appropriate level and grant certification. To reduce the risk of differing CMMC clause interpretations concerning your implemented controls, consider using the same C3PAO for both the gap analysis and the formal assessment! The DoD will have access to your assessment report through the Enterprise Mission Assurance Support Services (eMASS) database. The C3PAO will issue an official certificate on completion.
Partnering with a CMMC consultant can make the difference between compliance and confusion — if you choose the right partner. How might you determine who is a good consulting organization and who isn’t? Follow these tips:
Before finding a consultant, determine how comfortable your organization is in meeting NIST SP 800-171. Is your organization currently a “possessing” company with a facility security clearance (FCL)? If so, then someone in your organization is probably familiar with implementing NIST SP 800-171 or something similar, and you are well on your way.
If your organization is not a “possessing” FCL or specifically has never operated a Sensitive Compartmented Information Facility (SCIF), then you may want assistance in understanding and implementing CMMC or NIST SP 800-171. Remember, CUI is not classified information, but all of the controls and protections associated with CUI are similar to those used with classified information.
You need to determine where your needs lie as you begin to select your CMMC consultant. The first thing to consider is if you have classified contracts — or anticipate having such contracts — and might need a consultant authorized to work with high-sensitivity information. If you have such contracts, we would say “yes”! If your unclassified system handling CUI supports classified contract work, any vulnerabilities found in the CUI system may be considered classified if the vulnerabilities could lead to disclosure of information concerning the classified work. Better to have an authorized consultant than have to report to your government customer that a classified vulnerability has been exposed to an unauthorized consultant.
Next, if your organization is strong on the technical side but weak on the policy or process side, you will want to find a consultant with lots of policy and process definition and implementation experience. If you are strong on the policy and process side but weak on the technical side, you will want a CMMC consultant who is strong on the technical side. If you need help with both, like many organizations, you need to find an individual or a company that can provide both.
It can be difficult to be an expert at everything, so do not be concerned if a CMMC consulting organization recommends a small composite team with different skills to work with you.
Start by picking a C3PAO that you want to work with and ask them about recommended consultants. Since C3PAOs assess the results of a consultant’s work as demonstrated through the implementation of CMMC in an organization, most C3PAOs know who does good work and who falls short. Also, C3PAOs are forbidden to have a financial interest or relationship with CMMC consultants by The Cyber AB’s licensing agreement.
Ask the consultant about their experience in setting up computing environments using virtual cloud systems, Linux, Windows, iOS, or whatever combination you might use. Most systems containing CUI are built virtually using a platform like Microsoft Azure or on-site using Linux, Windows, or a combination of technologies. Passing this first technical familiarity test is important.
For example, using Microsoft’s Azure Government Cloud Computing (GCC) — High or Medium — is a common path toward fulfilling CMMC requirements. Finding a consultant who is a Microsoft partner or who has set up systems in Azure would be a good indicator that the consultant can help your organization, too.
Also, try to find a CMMC consultant who has experience with organizations of your size. A consultant who has only worked with large companies may not be able to make quality recommendations for a very small company and vice versa. The processes and tool implementations can be very different for different-sized organizations.
Familiarity with your business technology area — for example, IT services, aerospace, consulting, military construction — is also important. CMMC policies, procedures, and controls must be implemented in support of your business, not in conflict with it. Find a consultant who knows what CMMC looks like in your business line.
Look for consultants who work for an organization with an FCL or who have set up computing environments for a SCIF. An organization with an FCL should have an alphanumeric CAGE code, which can be verified with the government.
Once again, although CUI is not classified information, the skills and background needed to manage information with an FCL and, in particular, a SCIF are directly transferable to protecting CUI under CMMC. Anyone who knows how to make a secure computing system that handles classified information is well-equipped to establish a system for CUI.
At Business Transformation Institute, Inc. (BTI), we’ve been ironically amused by the protests among some “highly regarded” CMMC experts who have struggled to complete DoD’s basic background investigation process, indicating that they may be people who know how to secure CUI, but they wouldn’t actually be trusted with CUI.
Unlike Registered Practitioners, who have minimal requirements, Certified CMMC Professionals (CCPs) may have already participated in a CMMC assessment and be able to bring valuable experience to the table. Being a CCP is the first step in becoming a Certified CMMC Assessor (CCA). Please note that if a CCP consults with your organization, they will not be on the CMMC assessment team since there are conflict-of-interest rules in place that strictly forbid that.
Consider looking for a CCA interested in consulting. CCAs will have progressed from a CCP and must have participated in three CMMC Level 2 assessments by assessing the CMMC Level 1 practices. Everyone in chorus, now — yes, The Cyber AB is serious about this — a CCA who consults with you cannot be your assessor due to the conflict-of-interest rules.
Finally, when interviewing potential CMMC consultants, look for someone you are comfortable with and can see yourself working with. While the CMMC consultant will be working for you, you will probably be spending some long hours with them, so make sure their personality fits you or the team.
Also, remember time zone differences if it’s someone who will be working remotely. If your organization is not very technical, make sure your CMMC consultant can explain things to you and your team in terms that you can understand. You will be the ones interviewed in a CMMC assessment, not the consultant. While you will need to learn the jargon and technology, having someone who can help you understand and learn is very important.
Selecting a CMMC assessor is similar to selecting a CMMC consultant. Try to select an assessor you are comfortable with, has experience assessing an organization of your size, and is familiar with the technologies you use.
A difference between engaging with a CMMC consultant and a CMMC assessor is that you engage with a CMMC assessor through a C3PAO. Individual assessors cannot do business directly with a company — it must be done through the C3PAO. Even if you initially talk to an individual assessor, they will eventually need to direct you to the C3PAO they are working with for scoping and formal business agreements.
Depending on the size of your organization, a team of assessors may be required to assess your organization, and the C3PAO is responsible for putting that team together. If you first engage with a C3PAO, they must have a pool of at least three assessors from which they and you can select from.
Ready to find an assessor? Follow these tips:
First, it’s essential to understand the various roles in the CMMC ecosystem to determine the type of assessor you need for your desired CMMC level. Let’s break down some terms:
If your organization handles CUI, you must be assessed by a CCA at a minimum.
As with selecting a consultant, you need to consider if you need an assessor authorized to handle the most sensitive government information. If your organization has a facility clearance (FCL) and classified contracts, we would again say “yes”!
While all CCAs require a DoD Tier 3 Suitability Determination, that’s not the same as a security clearance. So, some risk is always present with the entire assessment team if any member of that team is not cleared. If your CUI system is wrapping a classified system or contracts, then vulnerabilities found by the assessment team could lead to a classified vulnerability being exposed to unauthorized persons.
The authoritative listing of all the CMMC assessors approved by The Cyber AB is on The Cyber AB marketplace. If someone claiming to be a CMMC assessor is not listed on the marketplace as either a Provisional Assessor, CCP, or CCA, they are not approved. Please verify that anyone you talk to is listed on The Cyber AB marketplace since there have been reports of non-Cyber AB-approved assessors selling their services. If you are “assessed” by a non-Cyber AB-approved assessor, that assessment will not be official or listed by the government as an authentic credential, and it cannot be used for proposals or bids for DoD work.
As we have witnessed through over 25 years of consulting and assessing other frameworks, you get what you pay for. The lowest bidder might not be the best assessor for your organization. We have been brought in many times to clean up after a poor experience with another consultant or assessor. Given the requirement to have CMMC Level before bidding on select DoD contracts, the cost of a problematic implementation or assessment extends far beyond the cost of the assessment itself.
Any consulting or assessment engagement is going to have a cost associated with it. It’s better to pay a little extra to get things done right the first time than paying for a poor experience and then having to pay for a second one to clean up after the first. Or, worse still, losing control of CUI to the detriment of the United States.
Our experiences have also shown that you will want an assessor with lots of assessment experience. Interfacing with companies, company executives, and different levels of staff successfully requires years of experience. Talking to an ISSE about their security implementation is very different than briefing a CEO — and an assessor needs to be able to do both.
Managing assessments, especially those of large organizations, takes project management experience, so just having a strong technical background is not enough. Good assessors need a wide breadth of experience, not just a deep understanding of security practices.
We have conducted highly technical assessments for other frameworks requiring multiple teams to conduct on-site visits to locations nationwide, with the assessment spanning months. An ISSE that has just begun performing CMMC assessments, for example, will probably not have the experience to manage such an assessment. The C3PAO will hopefully provide an assessor who meets your needs but, in the end, that responsibility is on you to select the best assessor for your organization.
Unfortunately, once assessments are allowed to begin and companies determine they need a CMMC assessment for their DoD work, the availability of an assessor may be the only deciding factor. DoD acknowledges that there are not enough assessors to conduct all the assessments that will be required, nor will there be until a large number of individuals are trained and certified as assessors — another reason to get in line early if you believe you are going to require a CMMC assessment right out of the gate.
The finalized DFARS Rule for CMMC is here after a long wait. It’s better to prepare now rather than rush to get compliant, strain your resources, and potentially lose work. At BTI, we understand that CMMC is complex and challenging to navigate. With our decades of experience helping DoD contractors meet stringent cybersecurity requirements, we’re ready to assist you.
We offer comprehensive CMMC services, including consulting, certification training courses, and CMMC assessments. As an authorized C3PAO with team members authorized to work with the government’s most sensitive systems, we can help you efficiently and cost-effectively achieve CMMC compliance. Contact our team today for more information.
