Cybersecurity Maturity Model Certification (CMMC) Compliance: Guide and Checklist

Published/Updated February 23, 2021

Cybersecurity Maturity Model Certification (CMMC) Compliance: Guide and Checklist

If you’re a defense department contractor — or you want to be — you will need a Cybersecurity Maturity Model Certification (CMMC).

This security framework, which the U.S. Department of Defense (DoD) released in early 2020, stands to affect as many as 300,000 federal contractors and suppliers (prime contractors) and their contractors, along the supply chain.

CMMC compliance, in essence, requires compliance with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST 800-171) as well as with certain federal regulations

Compliance with NIST 800-171 has long been a requirement for DoD contracts under the Defense Federal Acquisition Regulation Supplement (DFARS). But, according to a DoD official, only 1 percent of DoD-contracting companies are fully compliant, meaning they have all 110 of the NIST 800-171 controls in place.

CMMC mandates NIST 800-171 compliance and adds some new requirements, as well, borrowing from other cybersecurity frameworks including the NIST Cybersecurity Framework (NIST CSF), Center for Internet Security (CIS), and the CERT Resilience Management Model (CERT-RMM).

It also demands that not only DoD contractors get certified but also their subcontractors — a group known as the “defense industrial base” (DIB). Only a verified third-party assessor can issue the certification, as opposed to NIST 800-171, which relies on self-assessments.

Why You Need CMMC

The DoD’s Undersecretary of Defense for Acquisition and Sustainment created the framework with the help of University-affiliated research centers, federally funded research and development centers, the DIB sector, and DoD stakeholders. The federal agency released version 1.0 of the CMMC in January 2020, and updated it with version 1.2 on March 13th.

Its purpose, the DoD states, is to provide a uniform set of security standards that every contractor, large and small, must use to safeguard DoD information.

The CMMC requires DoD contractors and their contractors to verify their use of cybersecurity best practices and their security program’s maturity level with an independent third-party assessor or third-party assessment organization (C3PAO) approved by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB).

Without CMMC certification, your business could lose or fail to obtain lucrative DoD contracts. Every entity doing business with the agency will be required to have CMMC certification by 2025. 

Are you compliant? Do you know? A good GRC software can find your compliance gaps, tell you how to fill them, track compliance tasks from assignment to completion, and collect evidence of your compliance efforts to make your audit much easier and less costly.

A Multi-Tiered Approach

Not all enterprises are created equal. Recognizing this, CMMC divides compliance requirements among five tiers, or “maturity levels,” with the least mature/smallest organizations ranking at level 1 and the most mature/largest at level 5.

Which level your organization needs to achieve depends on your DoD contract. Requests for proposals (RFPs) and requests for information (RFIs) will phase in the language for CMMC over the next few years and include the certification level organizations need to bid. 

Your required “maturity level” depends largely on the type and sensitivity of the DoD information you will receive or use. The Defense Information Systems Agency (DISA), for instance, has stated that it expects its contractors to attain certification level 3 or 4.

The good news is this: If your enterprise is compliant with NIST 800-53 or FedRAMP, you’re well on your way to becoming certified. If you’re already complying with NIST 800-171, you’re practically there. 

More good news: GRC solutions can tell you where your “overlap” is with existing frameworks so you can avoid duplicating efforts.

How To Use this Guide

Knowledge is power. Read this guide for a wealth of information about the CMMC, including a detailed CMMC compliance overview as well as specifics on topics including:

  • How the CMMC compares with other security frameworks 
  • What constitutes “controlled unclassified information,” or CUI
  • What the CMMC’s five maturity levels mean, and how to know which CMMC level pertains to you
  • How to comply with CMMC requirements, and which steps to take now
  • How to prepare for a CMMC audit
  • Which tools and technologies can hasten your path to CMMC compliance.

Links throughout this guide will take you more deeply into the workings of this important framework. Read all the materials to be knowledgeable about CMMC when you’re done. And if you need help, here’s a great tool for that.

What is CMMC?

CMMC is an acronym for “Cybersecurity Maturity Model Certification.”

A maturity model, according to the DoD, is “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” 

CMMC uses industry standards and best cybersecurity practices to establish a benchmark against which assessors can measure your organization’s security posture. From there, your company can set goals for its improvement, and priorities for how best to progress.

This standard is the first unified cybersecurity standard for organizations in the defense industrial base (DIB), which comprises defense contractors and their subcontractors. The DoD says it created CMMC to protect its intellectual property and U.S. national security.

As its basis, CMMC uses NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Essentially, a CMMC auditor will examine whether your organization has the proper cybersecurity controls in place and meets the cybersecurity requirements set forth in NIST 800-171.

NIST 800-171 was written for use by organizations that contract with federal agencies. Compliance has already been required for DoD contractors since January 2018. 

Now, though, prime contractors as well as their suppliers must meet NIST 800-171 and the additional requirements of CMMC all the way down the supply chain: all that “contribute toward the research, engineering, development, acquisition, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services.” 

Every organization providing goods or services to the DoD must be CMMC compliant. The list includes small businesses such as janitorial services; cloud service providers; and equipment manufacturers: all will need at least CMMC Level 1 certification to keep or acquire a DoD contract.

CMMC Framework Structure

The CMMC framework comprises cybersecurity capabilities, practices, and processes pertaining to 17 domains. The five levels of CMMC cybersecurity maturity range from basic to advanced.

An organization’s maturity level represents its ability to protect Federal Contract Information (FCI), which is “information, not intended for public release, that is provided by or generated for the Government” and is needed to provide services and goods to the federal government; and controlled unclassified information (CUI), “information that requires safeguarding or dissemination controls” but is not classified, such as personally identifying information (PII).

An organization’s certification level determines the sensitivity of the information to which it will be privy. For instance, Level 1 and 2 entities may only access FCI, while Level 3 certification allows the receipt of CUI, as well. DoD contracts will specify the certification level required.

The assessment of an organization’s maturity level begins at the foundational Level 1, where smaller businesses typically stand.

From there, enterprises may strive to improve their cybersecurity practices and reach higher levels, depending on their size, resources, and abilities.

The 5 CMMC Levels

  • Level 1: CMMC Level 1 enterprises are those practicing “basic cyber hygiene” to protect FCI as outlined in FAR, or federal regulation 48 CFR 52.204-21:
    • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
    • Limit information system access to the types of transactions and functions that authorized users are permitted to execute
    • Verify and control/limit connections to and use of external information systems
    • Control information posted or processed on publicly accessible information systems
    • Identify information system users, processes acting on behalf of users, or devices
    • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
    • Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
    • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
    • Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices
    • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
    • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
    • Identify, report, and correct information and information system flaws in a timely manner
    • Provide protection from malicious code at appropriate locations within organizational information systems
    • Update malicious code protection mechanisms when new releases are available
    • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
  • Level 2: “Intermediate cyber hygiene”: At this transitional level, enterprises set policies and practices to comply with the CMMC and document their efforts to follow them, moving toward the ability to safeguard CUI. Entities at this level conform to 65 NIST 800-171 security requirements in accordance with DFARS clause 252.204-7012, which contains the CMMS rule; seven of the CMMC practices, and two CMMC processes.

    “The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented,” the CMMC document states.
  • Level 3: A CMMC Level 3 organization has “good cyber hygiene” and may handle CUI.

    Level 3 entities have a security plan for meeting NIST 800-171 requirements and other standards for mitigating threats. The plan may include “missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.” 

    They meet all 110 NIST SP 800-171 controls requirements, 20 CMMC practices, and three of the CMMC processes.
  • Level 4: At CMMC level 4, an entity has documented its security processes and written a plan for meeting NIST 800-171, but goes a step further: It reviews its security practices to make sure they work properly, and to update them in accordance with new threats and trends and to conform to cybersecurity best practices.

    Level 4 organizations have fully implemented the NIST 800-171 controls and adhere to 46 CMMC practices and four processes.
  • Level 5: A Level 5 company’s security processes are standardized throughout the organization, and include optimized practices to detect and respond to more sophisticated cyber threats such as advanced persistent threats (APTs).

    At Level 5, an enterprise is fully compliant with NIST 800-171 as well as 61 CMMC practices and the five CMMC processes.

CMMC Domains, Capabilities, and Practices

The CMMC addresses cybersecurity in 17 domains, each with associated capabilities — 43 in all. 

  • Access control
    • Establish system access requirements
    • Control internal system access
    • Control remote system access
    • Limit data access to authorized users and processes
  • Asset management
    • Identify and document assets
    • Manage asset inventory
  • Audit and accountability
    • Define audit requirements
    • Perform auditing
    • Identify and protect audit information
    • Review and manage audit logs
  • Awareness and training
    • Conduct security awareness activities
    • Conduct training
  • Configuration management
    • Establish configuration baselines
    • Perform configuration and change management
  • Identification and authentication
    • Grant access to authenticated entities
  • Incident response
    • Plan incident response
    • Detect and report events
    • Develop and implement a response to a declared incident
    • Perform post-incident reviews
    • Test incident response
  • Maintenance
    • Manage maintenance
  • Media protection
    • Identify and mark media
    • Protect and control media
    • Sanitize media
    • Protect media during transport
  • Personnel security
    • Screen personnel
    • Protect CUI during personnel actions
  • Physical protection
    • Limit physical access
  • Recovery
    • Manage backups
    • Manage information security continuity
  • Risk management
    • Identify and evaluate risk
    • Manage risk
    • Manage supply chain risk
  • Security assessment
    • Develop and manage a system security plan
    • Define and manage security controls
    • Perform code reviews
  • Situational awareness
    • Implement threat monitoring
  • Systems and communication protection
    • Define security requirements for systems and communications
    • Control communications at system boundaries
  • Systems and information integrity
    • Identify and manage information system flaws
    • Identify malicious content
    • Perform network and system monitoring
    • Implement advanced email protections

Each domain and capability includes 171 best cybersecurity practices, as well — divided among the five maturity levels.

For example, the “access control” domain contains:

  • Four practices that Level 1 and higher entities should be conducting
  • 10 more that Level 2 organizations should have
  • Eight more to qualify as Level 3
  • Three more for Level 4, and 
  • One additional practice to qualify as Level 5:  “Identify and mitigate risk associated with unidentified wireless access points connected to the network.”

CMMC vs. NIST 800-171

The CMMC is largely based on NIST SP 800-171, a lengthy and complex cybersecurity framework that, in turn, uses NIST 800-53 as its basis. In fact, the DoD intends to do away with the NIST certification requirement altogether when CMMC is fully implemented.

A few differences do exist between the two frameworks. NIST 800-171 was developed for non-federal information systems that support private enterprises; NIST 800-53 is intended for contractors that operate federal information systems on behalf of the government. 

Under NIST 800-171, entities may perform their own compliance assessment. Getting CMMC certification requires a CMMC assessment by a C3PAO approved by the CMMC accreditation body.

Also, NIST 800-171 Rev. 2 addresses 11 domains for which cybersecurity best practices are essential; CMMC 1.2 lists 17, adding the following to the NIST 800-171 domains:

  • Asset management
  • Incident response
  • Recovery
  • Risk management
  • Security assessment
  • Situational awareness

Also, NIST 800-171 lists controls, practices, and methods that apply to all organizations, while CMMC takes into account the maturity level, or posture, of an entity’s cybersecurity program. In doing so, it enables smaller entities to comply as they can with NIST 800-171 and pushes larger, more sophisticated, enterprises to greater sophistication and complexity.

CMMC goes beyond NIST 800-171 in another important way, as well, by imposing more controls. 

Of the 171 controls listed in CMMC, 46 come from sources other than NIST 800-171, including the Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework (CSF).

About CMMC Certification: What You Need to Know

Under CMMC, a qualified assessor — one accredited by Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) — must evaluate and certify your company’s cybersecurity maturity level. 

But 300,000 assessments is a huge number. To help streamline the process, DoD suggests you complete a self-assessment before scheduling your CMMC assessment. ZenGRC can do this for you with only a few clicks, conducting self-audits as often as you require and guiding you through the remediation process.

Conducting self-audits or self-assessments in advance will help you cut down on CMMC certification costs, as well. No worries in this regard, however: If your contract requires CMMC, the DoD will reimburse your certification costs, including the costs you incur in meeting the requirements. Never before has the federal governmenthelped to fund its contractors’ cybersecurity programs.

Two Assessments Required

CMMC Certification: How to Prepare

Beyond NIST 800-171 compliance, CMMC requires conformity to other frameworks and regulations, too. The best way to prepare for your CMMC audit is to conduct an assessment  for compliance with them.

Consulting with a firm that provides CMMC assessment or a C3PAO is also a good idea. The agency or assessor you contact can tell you precisely what your assessment will entail, and advise you on how to prepare.

Acting now is the key to success. TheDoD is slowly phasing in CMMC into their contracts so you will need to obtain certification to bid. 

Checklist and Steps: How to become CMMC Compliant 

  • What do I need to be compliant with CMMC? To be compliant with CMMC, you must comply with NIST 800-171, among other security frameworks and regulations. You must also acquire certification from a certified third-party assessor (C3PAO) attesting to the maturity level of your enterprise.
  • What are the steps to becoming CMMC compliant?
    • Using the DoD project RFP or RFI, determine the CMMC maturity level your organization needs to meet.
    • Contact a C3PAO for information about other requirements you must meet to obtain your certification.
  • How much does CMMC compliance cost?
    The cost of CMMC compliance varies from organization to organization, depending on your cybersecurity posture and the maturity level for which you wish to achieve certification. 
  • How do I determine the level of compliance needed for my organization?
    The maturity level you need depends on the type of information your organization will receive, process or store and the contract for which you will bid. The DoD stipulates the CMMC maturity level needed in the RFP or RFI for eligible contracts.
  • What are the CMMC compliance deadlines?
    CMMC compliance is already required now for certain DoD contracts. All contracts will require certification by January, 2026.

CMMC Audits: How to Be Prepared

A CMMC audit is an examination of your cybersecurity policies, procedures, processes, and controls to determine compliance with NIST 800-171 and other requirements. The extent of your audit will depend on the maturity level for which your organization wishes to be certified. Only a certified third-party assessment organization (CP3AO) is qualified to perform a CMMC audit.

The assessor will first speak with you to determine your needs, and will request any documents required to evaluate your controls protecting FCI or CUI.

These documents may include diagrams of your  environment, risk assessments, data from vulnerability scans, and a list of in-scope controls. Next they may evaluate your controls to ensure they’re working, and issue a report of findings. If you fail the audit, you will be able to correct deficiencies and try again.

CMMC Compliance Tools

CMMC compliance is so complex, especially for organizations requesting certification for maturity Level 3 or higher, that using spreadsheets to track and document the process shouldn’t even be an option.

A plethora of templates, frameworks, and other tools are publicly available to help you with CMMC and NIST 800-171 compliance. These are a good place to start. Or you could relax and let a quality governance, risk, and compliance software such as ZenGRC do the heavy lifting for you.

Reciprocity’s ZenGRC has everything you need to comply with NIST 800-171 and CMMC. Our user-friendly software uses color-coded dashboards to show where you’re compliant and where you fall short, and tells you how to fill gaps.

Zen tracks your workflows so you always know the status of each compliance task, and generates surveys for your vendors to track their compliance, as well — and compiles their responses. 

Zen also conducts unlimited, in-a-click self-audits so you can be ready for your C3PAO assessment. And, using our ZenConnect plugin, it integrates with all your workplace applications to collect evidence for your CMMC audit, and keeps them in a “single source of truth” repository for easy retrieval.

If you’re handling FCI or CUI for DoD projects and want to be assured of keeping your lucrative contracts, you’re going to need a high-tech solution to juggle all the many tasks involved — so you don’t have to. Your worries allayed, you’ll be free to focus on keeping your business safe and secure.

Worry-free CMMC compliance is the Zen way. Contact us today for your free consultation.