Cybersecurity Maturity Model Certification (CMMC) Compliance: Guide and Checklist

Published/Updated December 19, 2022


If you are or want to be a contractor for the U.S. Department of Defense, eventually your business will need a Cybersecurity Maturity Model Certification (CMMC).

This security framework, released by the Defense Department in 2020, will ultimately sweep into scope as many as 300,000 federal contractors and their suppliers further down the supply chain.

CMMC requires defense contractors to comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST 800-171). Compliance with NIST 800-171 has long been a requirement for DoD contracts under the Defense Federal Acquisition Regulation Supplement (DFARS), but the number of defense contractors in full compliance with that standard (meaning they have all 110 NIST 800-171 controls in place) has always been low.

CMMC mandates NIST 800-171 compliance and adds some new requirements, borrowing from other cybersecurity frameworks, including the NIST Cybersecurity Framework (NIST CSF), Center for Internet Security (CIS), and the CERT Resilience Management Model (CERT-RMM).

CMMC compliance extends through defense contractors to all suppliers, a group of roughly 300,000 businesses known as the “Defense Industrial Base” (DIB).

Why You Need CMMC

The purpose of CMMC is to provide a uniform set of security standards that every contractor, large and small, must use to safeguard DoD information.

Without CMMC certification, your business could be excluded from bidding on lucrative DoD contracts. Every entity doing business with the Defense Department must have CMMC certification by 2025.

Are you compliant? Do you know? A good GRC software tool can find your compliance gaps, tell you how to fill them, track compliance tasks from assignment to completion, and collect evidence of your compliance efforts to make your audit much easier and less costly.

A Multi-Tiered Approach

Not all enterprises are created equal. Recognizing this, CMMC divides compliance requirements into three tiers, or “maturity levels,” known as foundational, advanced, and expert. Your required maturity level depends mainly on the type and sensitivity of the DoD information you will receive or use.

The level your organization needs to achieve depends on your DoD contract.

The good news is that if your enterprise is already compliant with NIST 800-53 or FedRAMP (the security standard for all government contractors generally), you’re well on becoming certified. Likewise, you’re practically there if you already comply with NIST 800-171.

How to Use This Guide

This guide explains the CMMC compliance process, including a detailed CMMC compliance overview as well as specifics on issues such as:

  • How CMMC compares with other security frameworks;
  • What constitutes “Controlled Unclassified Information,” or CUI;
  • What the CMMC’s three maturity levels mean, and how to know which CMMC level pertains to you;
  • How to comply with CMMC requirements, and which steps to take now;
  • How to prepare for a CMMC audit;
  • Which tools and technologies can hasten your path to CMMC compliance.

Links throughout this guide will take you more deeply into the workings of this critical framework. Read all the materials to be knowledgeable about CMMC when you’re done. And if you need help, here’s an excellent tool for that.

What Is CMMC?

CMMC is an acronym for Cybersecurity Maturity Model Certification.

The DoD defines a maturity model as “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.”

CMMC uses industry standards and cybersecurity best practices to establish a benchmark against which assessors can measure your organization’s security posture. From there, your company can set goals for its improvement and priorities for how best to progress.

CMMC is the first unified cybersecurity standard for organizations in the Defense Industrial Base (DIB), which comprises defense contractors and their subcontractors. The DoD says it created CMMC to protect its intellectual property and U.S. national security.

As its basis, CMMC uses the NIST 800-171 standard; Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Essentially, a CMMC auditor will examine whether your organization has the proper cybersecurity controls and meets the cybersecurity requirements outlined in NIST 800-171. In addition, in November 2021, an updated version of CMMC – dubbed CMMC 2.0 – introduced expert-level CMMC certification leveraging NIST 800-172.

NIST 800-171 was written for use by federal government contractors. Compliance has already been required for DoD contractors since 2018. In 2021, NIST 800-172 was finalized to enhance protection of “controlled, unclassified information” (CUI) as a supplement NIST 800-171.

Currently, only the largest defense contractors (“prime contractors”) must meet NIST 800-171 and the additional requirements of CMMC, and assure that their suppliers further down the supply chain meet those standards too. By 2026, those compliance obligations will extend to all organizations bidding on defense contracts. Janitorial services, cloud service providers, equipment manufacturers, and more: all will need at least CMMC Level 1 certification to keep or acquire a DoD contract.

Who Needs CMMC Certification?

Any contractors that currently work with the DoD need to be CMMC certified. If your organization is planning to contract or has the goal of contracting, then you should also plan to be CMMC certified.

The CMMC level required for your organization will be stipulated on a case-by-case basis in the RFP or RFI you bid upon, but if you’d like to get started preemptively, every organization will need at least the base Level 1 CMMC certification.

CMMC Framework Structure

The CMMC framework encompasses cybersecurity capabilities, practices, and processes across 17 domains. The three levels of CMMC cybersecurity maturity range from foundational to expert.

An organization’s maturity level represents its ability to protect Federal Contract Information (FCI), defined as “information, not intended for public release, that is provided by or generated for the government.” Beyond that level is Controlled Unclassified Information (CUI), defined as “information that requires safeguarding or dissemination controls” but is not classified. For example, personally identifiable information (PII) would qualify as CUI.

The higher an organization’s certification level, the more sensitive the information it will be able to handle. For instance, businesses certified at Level 1 may only access FCI; those certified at Level 3 will also be allowed to handle CUI. Each DoD contract will specify the certification level required.

The assessment of an organization’s maturity level begins at the foundational Level 1, where smaller businesses typically stand. From there, enterprises can strive to improve their cybersecurity practices and reach higher levels, depending on their size, resources, and abilities.

The CMMC Levels

CMMC Level 1: Foundational

CMMC Level 1 enterprises are those practicing “basic cyber hygiene” to protect FCI as outlined in FAR, the Federal Acquisition Rule, 48 CFR 52.204-21:

  • Limit information system access to authorized users, with processes acting on behalf of authorized users or devices (including other information systems);
  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
  • Verify and control or limit connections to and use of external information systems;
  • Control information posted or processed on publicly accessible information systems;
  • Identify information system users, processes acting on behalf of users, or devices;
  • Authenticate (or verify) the identities of those users, methods, or devices as a prerequisite to allowing access to organizational information systems;
  • Sanitize or destroy information system media containing Federal Contract Information before the media’s disposal or release for reuse;
  • Limit physical access to corporate information systems, equipment, and the respective operating environments to authorized individuals;
  • Escort visitors and monitor visitor activity; maintain audit logs of physical access, and control and manage physical access devices;
  • Monitor, power, and protect organizational communications (such as information transmitted or received by corporate information systems) at the external boundaries and critical internal boundaries of the information systems;
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
  • Identify, report, and correct information and information system flaws on time;
  • Protect malicious code at appropriate locations within organizational information systems;
  • Update antagonistic code protection mechanisms when new releases are available;
  • Perform periodic scans of the information system and real-time scans of external sources as files are downloaded, opened, or executed.

CMMC Level 2: Advanced

A CMMC Level 2 organization has “good cyber hygiene” and may handle CUI.

Level 2 entities have a security plan for meeting NIST 800-171 requirements and other standards for mitigating threats. The method may include “missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.” Since this level incorporates the former CMMC Level 3 requirements, there is a split in CUI handling between prioritized acquisitions and non-prioritized acquisitions. The details of this split are expected in upcoming rules.

Advanced CMMC certifications meet all 110 NIST SP 800-171 controls requirements, with the former 20 CMMC practices eliminated.

CMMC Level 3: Expert

The expert level combines former CMMC Level 4 and CMMC Level 5. (The original CMMC framework, subsequently superseded by the current framework, had five levels; the current framework collapsed them into three.) The most significant additions to this level are a triennial government assessment (not one completed by Certified Third Party Assessment Organizations “C3PAOs”) and additional controls met within NIST 800-172.

To be certified at CMMC Level 3, your organization must comply entirely with more than 110 processes within both NIST 800-171 and NIST 800-172.

A Level 3 company’s security processes are standardized throughout the organization and include optimized practices to detect and respond to more sophisticated cyber threats such as Advanced Persistent Threats (APTs). The Reciprocity’s ROAR Platform is the perfect ally for this level.

CMMC Domains, Capabilities, and Practices

The CMMC addresses cybersecurity in 17 domains, each one associated with numerous more specific capabilities.

  • Access control
    • Establish system access requirements;
    • Control internal system access;
    • Control remote system access;
    • Limit data access to authorized users and processes.
  • Asset management
    • Identify and document assets;
    • Manage asset inventory.
  • Audit and accountability
    • Define audit requirements;
    • Perform auditing;
    • Identify and protect audit information;
    • Review and manage audit logs.
  • Awareness and training
    • Conduct security awareness activities;
    • Conduct training.
  • Configuration management
    • Establish configuration baselines;
    • Perform configuration and change management.
  • Identification and authentication
    • Grant access to authenticated entities.
  • Incident response
    • Plan incident response;
    • Detect and report events;
    • Develop and implement a response to a declared incident;
    • Perform post-incident reviews;
    • Test incident response.
  • Maintenance
    • Manage maintenance.
  • Media protection
    • Identify and mark media;
    • Protect and control media;
    • Sanitize media before its disposal;
    • Protect media during transport.
  • Personnel security
    • Screen personnel;
    • Protect CUI during personnel actions.
  • Physical protection
    • Limit physical access.
  • Recovery
    • Manage backups;
    • Manage information security continuity.
  • Risk management
    • Identify and evaluate risk;
    • Manage risk;
    • Manage supply chain risk.
  • Security assessment
    • Develop and manage a system security plan;
    • Define and manage security controls;
    • Perform code reviews.
  • Situational awareness
    • Implement threat monitoring.
  • Systems and communication protection
    • Define security requirements for systems and communications;
    • Control communications at system boundaries.
  • Systems and information integrity
    • Identify and manage information system flaws;
    • Identify malicious content;
    • Perform network and system monitoring;
    • Implement advanced email protections.

Each domain and capability includes 171 best cybersecurity practices, divided among the three maturity levels.

What is the System Security Plan (SSP)?

As part of CMMC compliance, organizations must develop a System Security Plan (SSP). The SSP must record details about each system in a contractor’s IT environment that stores or transmits CUI to comply with NIST 800-171 and CUI regulations. In addition, the SSP describes the information flow between systems and authentication and authorization procedures. The plan often includes company regulations, staff security obligations, network diagrams, and administrative duties.

Since it is a live document, the System Security Plan (SSP) must be updated whenever a business makes significant adjustments to its security profile or procedures.

As part of the contract bidding and award process, the Defense Department requires an evaluation of contractors’ SSPs. Contractors will only win DoD business if they have an active, legitimate SSP.

Contractors must assure they have the resources available to create and update the SSP because it can be a resource-intensive procedure, even if it is essential for maintaining certification criteria.

Why Is the CMMC Gap Analysis Important?

Organizations can use a gap analysis to analyze how well their current cybersecurity program meets – or does not meet – the demands of NIST 800-171. This helps a corporation determine whether it complies with the CMMC, or what steps will be necessary to achieve compliance.

Your company could, for instance, discover it has inadequate or absent multifactor authentication, which will then require better access control. Or your company might be lacking in the equipment and procedures necessary for managing backups and safe data storage. Gap analysis can bring those shortcomings (or many more) into focus.

In other words, a gap analysis can keep your CMMC compliance strategy on track. You certainly won’t be able to pursue that strategy effectively without one.

CMMC vs. NIST 800-171

CMMC is based mainly on NIST SP 800-171 (CCMC vs. NIST), a lengthy and complex cybersecurity framework that, in turn, uses NIST 800-53 as its basis.

That said, NIST 800-171 and CMMC do have some differences. For example, under NIST 800-171, organizations can perform their own compliance assessment; CMMC certification requires a CMMC review by a C3PAO approved by the CMMC accreditation body.

Also, NIST 800-171 addresses 11 domains for which cybersecurity best practices are essential; CMMC contains those 11 domains plus another six, for a total of 17:

  • Asset management;
  • Incident response;
  • Recovery;
  • Risk management;
  • Security assessment;
  • Situational awareness.

NIST 800-171 lists controls, practices, and methods that apply to all organizations, while CMMC considers the maturity level, or posture, of an entity’s cybersecurity program. Doing so allows smaller entities to comply with NIST 800-171 and pushes more extensive, sophisticated enterprises to greater sophistication and complexity.

CMMC also goes beyond NIST 800-171 by imposing more controls.

Of the 171 controls contained in CMMC, 46 come from sources other than NIST 800-171, including the Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework (CSF).

NIST 800-172 is the list of supplemental regulations to NIST 800-171. Notably, it offers enhanced protections for CUI when:

  • Information lives off federal servers and systems;
  • When a contractor is not collecting data on behalf of a federal agency;
  • When there are no otherwise mandated information protections for a specific CUI category.

About CMMC Certification: What You Need to Know

Under CMMC, a qualified assessor accredited by Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) must evaluate and certify your company’s cybersecurity maturity level.

But 300,000 assessments for the entire defense industrial base is a vast number. To help streamline the process, DoD suggests you complete a self-assessment before scheduling your CMMC assessment. Reciprocity ZenComply can do this for you with only a few clicks, conducting self-audits as often as you require and guiding you through the remediation process.

Conducting self-audits or self-assessments in advance will also help you cut down on CMMC certification costs. One bit of good news: If your contract requires CMMC, the DoD will reimburse your certification costs, including the expenses you incur in meeting the requirements. The federal government has never helped fund its contractors’ cybersecurity programs.

What Is a Remediation Plan?

A remediation plan is a focused, actionable plan to close any security holes discovered during your gap analysis, so that your organization can achieve CMMC compliance. Known as a Plan of Action and Milestones (PoAM), it documents the following:

  • The flaws and control gaps identified;
  • A comprehensive strategy to address each non-compliant practice;
  • A risk score and the associated suggested completion or repair date;
  • Result of the Supplier Performance Risk System (SPRS) score for the Department of Defense (DoD).

Two Assessments Required

CMMC Certification: How to Prepare

Beyond NIST 800-171 and NIST 800-172 compliance, CMMC requires defense contractors to conform to several frameworks and regulations as well. The best way to prepare for your CMMC audit is to conduct an assessment for compliance with them.

Consulting with a firm that provides CMMC assessments or audit services is a good idea. That agency or auditor can tell you precisely what your assessment will entail, and advise you on how to prepare. Acting early is the key to success.

CMMC Compliance Checklist and Steps

Step 1: Assess Your Needed CMMC Level

  • Working from DoD contract’s Request for Proposals (RFP), determine the CMMC maturity level your organization needs to meet.
  • The maturity level you need depends on the type of information your organization will receive, process, or store and the contract for which you will bid. The DoD stipulates the CMMC maturity level needed in the RFP or RFI for eligible contracts.
  • Contact a C3PAO for information about other requirements you must meet to obtain your certification.

Step 2: Engage with Needed Frameworks

  • To achieve CMMC compliance, you must comply with NIST 800-171, NIST 800-172, and other security frameworks and regulations. You must also acquire certification from a Certified Third-Party Assessor (C3PAO) attesting to the maturity level of your enterprise or, depending on your maturity level, prepare for a triennial government assessment.

Step 3: Pay Fees By the Deadline

  • The cost of CMMC compliance varies from organization to organization, depending on your cybersecurity posture and the maturity level for which you wish to achieve certification.
  • CMMC compliance is already required for specific DoD contracts, and all contracts will require certification by January 2026.

What Are the Challenges to Becoming CMMC Compliant?

CMMC compliance can be challenging for many reasons, but the top five are listed below.

Beginning or Mapping

The first challenge refers to the extent of CMMC compliance, whether beginning from scratch or adapting another cybersecurity framework for your company. The CMMC’s core comprises seventeen cybersecurity domains and is primarily based on comparable categories in Federal Information Processing Standards Publication (FIPS) 200.

Also, the 17 domains include 171 practices businesses must use to carry out the 43 capabilities dispersed across the domains. While mapping all the obligations may not be easy, implementing them without a clear idea of what they entail is an impossible endeavor.

Cyber Hygiene

The second challenge of CMMC compliance is completing the Controlled Unclassified Information’s (CUI) security.

An organization complies with all standards for the security of Controlled Unclassified Information (CUI) by practicing “basic,” “intermediate,” and finally, “good” cyber hygiene.

In addition, the CMMC is unique because it takes a staged, tier-based approach to cybersecurity development. The practices are divided into three maturity stages, each assessing a certain amount of practice adoption.

Each level has its distinct focus, although the three are connected, as they require “cyber hygiene” habits.

Confronting Advanced Threats

Another challenge is shifting the attention from CUI protection to Advanced Persistent Threats (APT).

APTs, as their name suggests, are among the most challenging cybersecurity problems to solve since they include all dangers zealous hackers offer.

The goal of cybercriminals is to continuously look for weaknesses in your cybersecurity program to take advantage of. Therefore, you must be watchful and constantly improve your cybersecurity posture to keep up with them.

Complete Institutionalization

As previously stated, organizing all of the CMMC’s processes is one of the most challenging aspects of compliance. Therefore, it would help if you cleared the last hurdle by institutionalizing the process, a measure of systematization throughout the business.

Getting a Certificate Officially

Getting certified is the last challenge to completing CMMC compliance. Contrary to other frameworks, such as the NIST guidelines, you must obtain certification from a Certified Third Party Assessment Organization (C3PAO) that has been granted accreditation by the CMMC Accreditation Body of the Office of the Under Secretary of Defense (OUSD).

CMMC Audits: How to Be Prepared

A CMMC audit examines your cybersecurity policies, procedures, processes, and controls to determine compliance with NIST 800-171, NIST 800-172, and other requirements. The extent of your audit will depend on the maturity level your organization wants to achieve. Only a Certified Third-Party Assessment Organization (CP3AO) is qualified to perform a CMMC audit.

The assessor will first speak with you to determine your needs and request any documents required to evaluate your controls protecting FCI or CUI.

These documents may include diagrams of your environment, risk assessments, data from vulnerability scans, and a list of in-scope controls. Next, the assessor may evaluate your rules to assure they’re working and issue a report of findings. If you fail the audit, you will be able to correct deficiencies and try again.

Why Consider Outsourcing CMMC?

Many contractors may need more knowledge or resources to achieve CMMC compliance than they can manage. Firms in that position should consider outsourcing their compliance to a Managed Security Services Provider (MSSP).

MSSPs have the procedures and templates required to do a gap analysis and develop the overall security plan; they are also equipped with the necessary resources and knowledge to carry out corrective actions. Additionally, they have the tools to monitor security performance, fix problems, and deliver thorough reports.

If you pursue this route, it’s wise to confirm that your service provider is a Registered Provider Organization for the Cybersecurity Maturity Model Certification (CMMC RPO.) Companies that are “cyber-knowledgeable” with a solid grasp of CMMC criteria and processes are granted the CMMC RPO seal.

Maintain CMMC Compliance with ZenComply

CMMC compliance is so complex, especially for organizations seeking certification for maturity Level 3, that using spreadsheets to track and document the process is fruitless. You’ll never keep up with the work involved. Instead, let quality governance, risk, and compliance software such as Reciprocity ZenComply do the heavy lifting for you.

Reciprocity’s ZenComply has everything you need to comply with NIST 800-171 and CMMC. Our user-friendly software uses color-coded dashboards to show where you’re compliant and where you fall short, and tells you how to fill gaps.

ZenComply tracks your workflows, so you always know the status of each compliance task, generates surveys for your vendors to track their compliance, and compiles their responses.

ZenComply also conducts unlimited, in-a-click self-audits so you can be ready for your C3PAO assessment. Our ZenConnect plugin integrates with all your workplace applications to collect evidence for your CMMC audit. It keeps them in a “single source of truth” repository for easy retrieval.

If you’re handling FCI or CUI for DoD projects and want to be assured of keeping your lucrative contracts, you’ll need a high-tech solution to juggle all the many tasks involved. Worry-free CMMC compliance is the Zen way. Contact us today for your free consultation.