CMMC compliance Q&A: Who needs the Cybersecurity Maturity Model Certification (CMMC)?

A magnifying glass placed over the word "compliance" against a blue background.These days, cybercriminals bombard organizations of all sizes and across all industries with ransomware attacks, phishing emails, and other tactics to infiltrate IT networks and access sensitive information. No one is safe – and that includes the government.

For that reason, the Department of Defense (DoD) has implemented compliance requirements for all contractors and entities it partners with in the form of the Cybersecurity Maturity Model Certification (CMMC). You might have heard about CMMC compliance and wondered what it is and whether it applies to your business. Here are the answers to some common questions about the certification.

1. What is the purpose of the CMMC?

The CMMC model ensures that defense industrial base (DIB) partners meet DoD information security requirements, according to the website for the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)). The program protects federal contract information (FCI) and controlled unclassified information (CUI) handled by DoD contractors and subcontractors via acquisition programs.

“It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors,” the site states. “The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

2. What is CMMC 2.0?

Based on feedback from the industry, U.S. Congress, and other stakeholders concerning the interim rule creating CMMC 1.0, the DoD introduced CMMC 2.0 in November 2021. The updated program structure encompasses three increasingly progressive levels, while CMMC 1.0 has five levels. CMMC 2.0 hasn’t yet been codified through rulemaking.

3. Do I have to comply with the CMMC?

DoD contractors and subcontractors through the entire supply chain will need to comply with the CMMC. Once CMMC 2.0 is implemented, the DoD will include the required CMMC compliance level in solicitations. Depending on the type of FCI and CUI each entity handles, the necessary CMMC compliance level might differ for the prime contractor and subcontractor – e.g., if the prime only “flows down” certain information to the subcontractors.

"It's no secret that the U.S. is at cyber war every day." - Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment.

4. When is CMMC compliance required?

The CMMC program dates back to September 2020, when the DoD published an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) detailing the initial idea for the program. The official CMMC FAQ on the site states that the interim DFARS rule (which officially went into effect on November 30, 2020) began a 5-year phase-in process for CMMC compliance, during which CMMC compliance is only included in select pilot contracts as approved by the OUSD (A&S).

The interim rule stated that “CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.”

However, considering the CMMC program updates in progress, the OUSD (A&S) site specifies that the DoD does not plan to require compliance for any contracts until after the completion of the CMMC 2.0 rulemaking process, which could take anywhere from 9 to 24 months. Watch the CMMC site for updates.

While the DoD has suspended CMMC piloting during the rulemaking process, the Department still encourages DIB companies to enhance cybersecurity through Project Spectrum.

5. How do I get CMMC compliant?

Once the CMMC 2.0 is implemented, contractors that don’t handle information critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments.

Meanwhile, contractors that handle information critical to national security (Level 2) will undergo assessments by CMMC Third Party Assessment Organizations (C3PAOs) as designated by the CMMC Accreditation Body (The Cyber AB). These assessments will take place every three years. You’ll be able to find accredited C3PAOs via The Cyber AB marketplace.

CMMC Level 3 compliance will require assessments conducted by government officials every three years. More information is available on the assessments section of the CMMC website.

6. What is the difference between NIST 800-171 and CMMC compliance?

The CMMC 2.0 Level 2 (i.e., the “Advanced” level) will be the same as NIST SP 800-171. The DoD is developing Level 3, a.k.a. the “Expert” level, from a subset of NIST SP 800-172 requirements.  

If you’d like more information about achieving compliance with the CMMC and other regulations, our technology advisors can assist you and connect you with leading managed cybersecurity service providers in our partner network. Our partners can conduct security risk assessments and provide managed compliance as a service to help you meet and maintain adherence to industry standards.

Start your compliance journey today by calling 877-599-3999 or emailing sales@stratospherenetworks.com.

Contact Us

We will handle your contact details in line with our Privacy Policy. If you prefer not to receive marketing emails from Stratosphere Networks, you can optout of all marketing communications or customize your preferences here.