Our cybersecurity consultants are working closely with Department of Defense contractors to bring them into compliance with Cybersecurity Maturity Model Certification (CMMC). We understand how important it is to successfully navigate this set of regulations so you can bid on contracts. To help, we asked our CMMC-registered practitioner, Greg Smith, to put together an overview covering everything contractors need to know about CMMC. Let’s dive in, starting with a quick FAQ.
10 CMMC Questions Answered by a Cybersecurity Consultant
1. What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) creates a standard baseline of cybersecurity for all contractors, subcontractors and entities working with the Department of Defense (DoD). Following CMMC requirements secures the sensitive data contractors and subcontractors handle as they work with the DoD.
2. Why did the Department of Defense introduce CMMC?
Breaches of sensitive defense information held by contractors prompted the DoD to create CMMC.
3. Who needs to comply?
Eventually, every contractor working with the DoD will need to be CMMC certified.
4. Can I self-certify?
No. Unlike NIST, you cannot self-certify. CMMC compliance is proven by a certification from a third-party assessment organization (3PAO).
5. What happens to contractors who don’t comply?
Noncompliant contractors won’t be able to bid on Department of Defense contracts.
6. Will this change my cybersecurity services?
You’ll need to talk to a cybersecurity consultant about your specific situation, but you will probably need to add IT security services to bring your organization into compliance. When possible, look for solutions that knock out multiple requirements at once, like endpoint security threat protection.
Are your systems ready for an attack?
7. How will CMMC affect my employees?
Your IT team could have to change processes and procedures. Outside of the tech team, most changes will not have a direct impact on employees. There are a few minor exceptions, like multifactor authentication. Your team will also need to set aside time for cybersecurity awareness and anti-phishing training.
Bring up your concerns in a security consultation. Your cybersecurity consultant will help you find ways to minimize any impact without sacrificing security or compliance.
8. When is the deadline for meeting CMMC compliance?
CMMC has a phased rollout. Proof of compliance is already required for some contractors. By September 30, 2025, all organizations working directly or indirectly with the DOD must prove they’ve passed the third-party audit.
9. What do I need to do to demonstrate compliance?
There are 5 levels of compliance and each tier builds off the one below it. Most contractors won’t need to reach level 5, but everyone will need to fulfill level 1 requirements. To do this, you need to demonstrate your ability to meet 17 best practices based on National Institute of Standards and Technology (NIST) guidelines (see below for more information).
10. I’m not a DoD contractor, should I align my IT security services with CMMC?
Yes! The level 1 guidelines are useful for any company that wants to follow basic cyber hygiene best practices. You can also use the level 1 guidelines as a guide for what your cybersecurity services provider should be doing for you, at a minimum.
17 Capabilities Every Contractor Has to Demonstrate for Level 1 Compliance
Level 1 is the foundation of CMMC. It’s also beneficial for any organization looking to establish good cyber hygiene.
The 17 domains and how to comply
Below are the 17 domains, as named by NIST, and a brief overview of what it takes to comply.
1. Access Control
Know who accesses your systems and what they can access based on their role.
2. Asset Management
Create and maintain an inventory of company devices. This includes endpoint security.
3. Audit and Accountability
Track all users with access to Controlled Unclassified Information (CUI). Activity is logged and regularly audited.
How an endpoint security solution simplified device tracking, access management and activity logging for Advicare
4. Awareness and Training
Employees regularly receive security awareness training.
5. Configuration Management
Baseline network safety protocols are defined and applied across your systems and devices.
6. Identification and Authentication
Role and identity-based controls limit access to information and authenticate who is on your network.
7. Incident Response
An incident response plan is in place that detects and reports events. You’re prepared to respond to incidents. Reviews are conducted after each incident to measure the effectiveness of your preparations.
8. Maintenance
Maintenance best practices, like patching, are followed to ensure your system remains operational.
9. Media Protection
All media is identified and marked. Sanitation and transportation protection protocols are in place.
10. Personnel Security
Employees undergo background checks and proper screening. When people leave or are transferred, steps are taken to protect CUI.
11. Physical Protection
Assets are protected through proper physical security controls, like restricting access to your server room, protect your assets. Find a firm that does security consultations to determine if you need additional safeguards.
12. Recovery
Backups are maintained and logged so you can recover data lost due to a cyberattack, natural disaster or any other out-causing event.
13. Risk Management
Periodically conduct security assessments and vulnerability scans to evaluate your risk. Don’t forget to consider risks posed by your vendors and partners, too.
14. Security Assessment
The functions, features, hardware and software of your systems are detailed in a security system plan (SSP).
15. Situational Awareness
A threat monitoring system is in place that rapidly identifies threats to your system and alerts your IT team about any incident.
16. System and Communications Protections
Tools and processes are in place to secure every communication system your company uses. This includes Voice over Internet Protocol (VoIP) and cloud phone systems.
17. System and Information Integrity
Antivirus software is installed and up to date. Additional detection and monitoring tools continually scan your systems. Alerts for flaws and threats are generated and reviewed by cybersecurity consultants.
The 17 domains only cover level 1 requirements. There are 4 other levels you should be aware of and may need to comply with.
Breaking Down the 5 Levels of CMMC
The level you need to meet will depend on the classification of data you work with. For instance, level 1 will not suffice for contractors creating or handling Controlled Unclassified Information (CUI). They will need level 3 or higher. Here’s a breakdown of what each level involves.
Level 1: Cover the cybersecurity basics
The goal of level 1 is to protect Federal Contract Information (FCI). It introduces the 17 domains and corresponding best practices every contractor will need to follow. All 17 are based on the NIST framework outlined above.
Level 2: Introduction of Controlled Unclassified Information (CUI) requirements
55 practices are added at level 2. You begin to create an environment capable of safeguarding Controlled Unclassified Information (CUI). Cybersecurity policies, standard operating procedures and strategic plans are documented.
Level 3: Safeguard CUI
You document, implement and maintain a plan that shows you have good cyber hygiene policies that fully protect CUI. Compliance with 58 additional policies is required.
Level 4: Detect and respond to Advanced Persistent Threats (APT)
The focus shifts to making sure you effectively protect CUI against Advanced Persistent Threats (APTs). You implement processes to review and measure your ability to detect and respond to APTs. 26 practices are introduced, including advanced NIST security practices.
Level 5: Progressive cybersecurity
Sophisticated tools and procedures are in place to assess and repel advanced threats. Across the organization, processes are standardized and optimized to create a mature, highly cybersecure environment. 15 practices are added.
While many DOD contractors will not need to reach level 4 or 5, your level will depend on the nature of the contracts and the specific division you are aiming to work with. We recommend working with a CMMC practitioner like Nortec to fully understand the cybersecurity maturity level you require to achieve your contract objectives.
How to Achieve CMMC Certification
Every level of CMMC shares the same starting point for certification: an assessment. You want to find any gaps in your organization before trying to pass your audit. This will catch gaps that could cause you to fail an audit and give you an actionable to-do list based on which level you need to reach.
Work with experienced cybersecurity professionals who have particular knowledge of CMMC requirements. At Nortec, we have a CMMC-registered practitioner who will serve as your cybersecurity consultant and work closely with you to assess your systems and determine what steps you need to take to pass your audit.