Cybersecurity Maturity Model Certification (CMMC) Compliance: Guide and Checklist

Published/Updated May 16, 2022

Introduction

If you are or want to be a defense department contractor, eventually your business will need a Cybersecurity Maturity Model Certification (CMMC).

This security framework, which the U.S. Department of Defense (DoD) released in 2020, ultimately will affect as many as 300,000 federal contractors and their suppliers further down the supply chain.

CMMC requires defense contractors to comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST 800-171) plus certain other federal regulations.

Compliance with NIST 800-171 has long been a requirement for DoD contracts under the Defense Federal Acquisition Regulation Supplement (DFARS), but the number of defense contractors in full compliance with that standard (meaning they have all 110 NIST 800-171 controls in place) has always been low.

CMMC mandates NIST 800-171 compliance and adds some new requirements, borrowing from other cybersecurity frameworks including the NIST Cybersecurity Framework (NIST CSF), Center for Internet Security (CIS), and the CERT Resilience Management Model (CERT-RMM). Only a verified third-party assessor can issue the CMMC certification, as opposed to NIST 800-171, which relies on self-assessments.

CMMC compliance also extends through defense contractors to all their suppliers – a group of roughly 300,000 businesses known as the “defense industrial base” (DIB).

Why You Need CMMC

The purpose of CMMC, according to the Defense Department, is to provide a uniform set of security standards that every contractor, large and small, must use to safeguard DoD information.

Without CMMC certification, your business could lose (or fail to win) lucrative DoD contracts. Every entity doing business with the agency will be required to have CMMC certification by 2025.

Are you compliant? Do you know? A good GRC software tool can find your compliance gaps, tell you how to fill them, track compliance tasks from assignment to completion, and collect evidence of your compliance efforts to make your audit much easier and less costly.

A Multi-Tiered Approach

Not all enterprises are created equal. Recognizing this, CMMC divides compliance requirements into three tiers, or “maturity levels,” known as foundational, advanced, and expert.

The level your organization needs to achieve depends on your DoD contract. Requests for proposals (RFPs) and requests for information (RFIs) will phase in the language for CMMC compliance over the next few years and will include the certification level organizations need to bid.

Your required maturity level depends largely on the type and sensitivity of the DoD information you will receive or use.

The good news is that if your enterprise is already compliant with NIST 800-53 or FedRAMP, you’re well on your way to becoming certified. If you’re already complying with NIST 800-171, you’re practically there.

How to Use This Guide

This guide offers a wealth of information about CMMC, including a detailed CMMC compliance overview as well as specifics on issues such as:

  • How the CMMC compares with other security frameworks;
  • What constitutes “controlled unclassified information,” or CUI;
  • What the CMMC’s three maturity levels mean, and how to know which CMMC level pertains to you;
  • How to comply with CMMC requirements, and which steps to take now;
  • How to prepare for a CMMC audit;
  • Which tools and technologies can hasten your path to CMMC compliance.

Links throughout this guide will take you more deeply into the workings of this important framework. Read all the materials to be knowledgeable about CMMC when you’re done. And if you need help, here’s a great tool for that.

What Is CMMC?

CMMC is an acronym for Cybersecurity Maturity Model Certification.

A maturity model, according to the DoD, is “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.”

CMMC uses industry standards and best cybersecurity practices to establish a benchmark against which assessors can measure your organization’s security posture. From there, your company can set goals for its improvement and priorities for how best to progress.

CMMC is the first unified cybersecurity standard for organizations in the defense industrial base (DIB), which comprises defense contractors and their subcontractors. The DoD says it created CMMC to protect its intellectual property and U.S. national security.

As its basis, CMMC uses NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Essentially, a CMMC auditor will examine whether your organization has the proper cybersecurity controls in place and meets the cybersecurity requirements set forth in NIST 800-171. In November 2021, an updated version of CMMC – CMMC 2.0 – introduced expert-level CMMC certification leveraging NIST 800-172.

NIST 800-171 was written for use by federal government contractors. Compliance has already been required for DoD contractors since January 2018. In February 2021, NIST 800-172 was finalized to enhance CUI protections as a supplement to NIST 800-171.

Now prime contractors, as well as their suppliers, must meet NIST 800-171 and the additional requirements of CMMC down the supply chain. Every organization providing goods or services to the DoD must be CMMC compliant. The list includes small businesses such as janitorial services, cloud service providers, and equipment manufacturers; all will need at least CMMC Level 1 certification to keep or acquire a DoD contract.

Who Needs CMMC Certification?

Any contractors that currently work with the DoD need to be CMMC certified. If your organization is planning to contract or has the goal of contracting, then you should also plan to be CMMC certified.

The CMMC level required for your organization will be stipulated on a case-by-case basis in the RFP or RFI you bid upon, but if you’d like to get started preemptively, every organization will need at least the base Level 1 CMMC certification.

CMMC Framework Structure

The CMMC framework encompasses cybersecurity capabilities, practices, and processes across 17 domains. The three levels of CMMC cybersecurity maturity range from foundational to expert.

An organization’s maturity level represents its ability to protect Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the government.” Beyond that level is controlled unclassified information (CUI), defined as “information that requires safeguarding or dissemination controls” but is not classified. For example, personally identifying information (PII) would qualify as CUI.

An organization’s certification level determines the sensitivity of the information to which it will be privy. For instance, Level 1 entities may only access FCI, while Level 3 certification allows the receipt of CUI, as well. DoD contracts will specify the certification level required.

The assessment of an organization’s maturity level begins at the foundational Level 1, where smaller businesses typically stand. From there, enterprises may strive to improve their cybersecurity practices and reach higher levels, depending on their size, resources, and abilities.

The CMMC Levels

CMMC Level 1: Foundational

CMMC Level 1 enterprises are those practicing “basic cyber hygiene” to protect FCI as outlined in FAR, or federal regulation 48 CFR 52.204-21:

  • Limit information system access to authorized users, with processes acting on behalf of authorized users, or devices (including other information systems);
  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
  • Verify and control or limit connections to and use of external information systems;
  • Control information posted or processed on publicly accessible information systems;
  • Identify information system users, processes acting on behalf of users, or devices;
  • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
  • Sanitize or destroy information system media containing Federal Contract Information before the media’s disposal or release for reuse;
  • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
  • Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
  • Monitor, control, and protect organizational communications (such as information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
  • Identify, report, and correct information and information system flaws on time;
  • Provide protection from malicious code at appropriate locations within organizational information systems;
  • Update malicious code protection mechanisms when new releases are available;
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

CMMC Level 2: Advanced

A CMMC Level 2 organization has “good cyber hygiene” and may handle CUI.

Level 2 entities have a security plan for meeting NIST 800-171 requirements and other standards for mitigating threats. The plan may include “missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.” Since this level incorporates the former CMMC Level 3 requirements, there is a split in CUI handling between prioritized acquisitions and non-prioritized acquisitions. The details of this split are expected in upcoming rules.

Advanced CMMC certifications meet all 110 NIST SP 800-171 controls requirements, with the former 20 CMMC practices eliminated.

CMMC Level 3: Expert

The expert level combines former CMMC Level 4 and CMMC Level 5. The biggest additions to this level are a triennial government assessment (not one completed by C3PAOs) and additional controls met within NIST 800-172.

To be certified at CMMC Level 3, then, your organization must be entirely compliant with the more than 110 processes within both NIST 800-171 and NIST 800-172.

A Level 3 company’s security processes are standardized throughout the organization and include optimized practices to detect and respond to more sophisticated cyber threats such as advanced persistent threats (APTs).

CMMC Domains, Capabilities, and Practices

The CMMC addresses cybersecurity in 17 domains, each with associated capabilities; 43 in all.

  • Access control
    • Establish system access requirements;
    • Control internal system access;
    • Control remote system access;
    • Limit data access to authorized users and processes.
  • Asset management
    • Identify and document assets;
    • Manage asset inventory.
  • Audit and accountability
    • Define audit requirements;
    • Perform auditing;
    • Identify and protect audit information;
    • Review and manage audit logs.
  • Awareness and training
    • Conduct security awareness activities;
    • Conduct training.
  • Configuration management
    • Establish configuration baselines;
    • Perform configuration and change management.
  • Identification and authentication
    • Grant access to authenticated entities.
  • Incident response
    • Plan incident response;
    • Detect and report events;
    • Develop and implement a response to a declared incident;
    • Perform post-incident reviews;
    • Test incident response.
  • Maintenance
    • Manage maintenance.
  • Media protection
    • Identify and mark media;
    • Protect and control media;
    • Sanitize media before its disposal;
    • Protect media during transport.
  • Personnel security
    • Screen personnel;
    • Protect CUI during personnel actions.
  • Physical protection
    • Limit physical access.
  • Recovery
    • Manage backups;
    • Manage information security continuity.
  • Risk management
    • Identify and evaluate risk;
    • Manage risk;
    • Manage supply chain risk.
  • Security assessment
    • Develop and manage a system security plan;
    • Define and manage security controls;
    • Perform code reviews.
  • Situational awareness
    • Implement threat monitoring.
  • Systems and communication protection
    • Define security requirements for systems and communications;
    • Control communications at system boundaries.
  • Systems and information integrity
    • Identify and manage information system flaws;
    • Identify malicious content;
    • Perform network and system monitoring;
    • Implement advanced email protections.

Each domain and capability includes 171 best cybersecurity practices as well, divided among the three maturity levels.

CMMC vs. NIST 800-171

The CMMC is largely based on NIST SP 800-171, a lengthy and complex cybersecurity framework that, in turn, uses NIST 800-53 as its basis. In fact, the DoD intends to do away with the NIST certification requirement altogether when CMMC is fully implemented.

A few differences do exist between the two frameworks. NIST 800-171 was developed for non-federal information systems that support private enterprises; NIST 800-53 is intended for contractors that operate federal information systems on behalf of the government.

Under NIST 800-171, entities may perform their own compliance assessment. Getting CMMC certification requires a CMMC assessment by a C3PAO approved by the CMMC accreditation body.

Also, NIST 800-171 addresses 11 domains for which cybersecurity best practices are essential; CMMC 1.2 adds six more to the NIST 800-171 domains, for a total of 17:

  • Asset management;
  • Incident response;
  • Recovery;
  • Risk management;
  • Security assessment;
  • Situational awareness.

Also, NIST 800-171 lists controls, practices, and methods that apply to all organizations, while CMMC takes into account the maturity level, or posture, of an entity’s cybersecurity program. In doing so, it enables smaller entities to comply as they can with NIST 800-171 and pushes larger, more sophisticated, enterprises to greater sophistication and complexity.

CMMC also goes beyond NIST 800-171 by imposing more controls.

Of the 171 controls listed in CMMC, 46 come from sources other than NIST 800-171, including the Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework (CSF).

NIST 800-172 is the list of supplemental regulations to NIST 800-171. Notably, it offers enhanced protections for CUI when:

  • Information lives off federal servers and systems;
  • When a contractor is not collecting information on behalf of a federal agency;
  • When there are not otherwise mandated information protections for a specific CUI category.

About CMMC Certification: What You Need to Know

Under CMMC, a qualified assessor – one accredited by Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) – must evaluate and certify your company’s cybersecurity maturity level.

But 300,000 assessments for the entire defense industrial base is a huge number. To help streamline the process, DoD suggests you complete a self-assessment before scheduling your CMMC assessment. Reciprocity ZenComply can do this for you with only a few clicks, conducting self-audits as often as you require and guiding you through the remediation process.

Conducting self-audits or self-assessments in advance will help you cut down on CMMC certification costs as well. No worries in this regard, however: If your contract requires CMMC, the DoD will reimburse your certification costs, including the costs you incur in meeting the requirements. Never before has the federal government helped to fund its contractors’ cybersecurity programs.

Two Assessments Required

CMMC Certification: How to Prepare

Beyond NIST 800-171 and NIST 800-172 compliance, CMMC requires conformity to other frameworks and regulations, too. The best way to prepare for your CMMC audit is to conduct an assessment for compliance with them.

Consulting with a firm that provides CMMC assessment or a C3PAO is a good idea. That agency or assessor can tell you precisely what your assessment will entail, and advise you on how to prepare. Acting now is the key to success.

CMMC Compliance Checklist and Steps

Step 1: Assess Your Needed CMMC Level

  • Using the DoD project RFP or RFI, determine the CMMC maturity level your organization needs to meet.
  • The maturity level you need depends on the type of information your organization will receive, process, or store and the contract for which you will bid. The DoD stipulates the CMMC maturity level needed in the RFP or RFI for eligible contracts.
  • Contact a C3PAO for information about other requirements you must meet to obtain your certification.

Step 2: Engage with Needed Frameworks

  • To be compliant with CMMC, you must comply with NIST 800-171, NIST 800-172, and other security frameworks and regulations. You must also acquire certification from a certified third-party assessor (C3PAO) attesting to the maturity level of your enterprise, or, depending on your maturity level, prepare for a triennial government assessment.

Step 3: Pay Fees By Deadline

  • The cost of CMMC compliance varies from organization to organization, depending on your cybersecurity posture and the maturity level for which you wish to achieve certification.
  • CMMC compliance is already required now for certain DoD contracts but all contracts will require certification by January 2026.

CMMC Audits: How to Be Prepared

A CMMC audit is an examination of your cybersecurity policies, procedures, processes, and controls to determine compliance with NIST 800-171, NIST 800-172, and other requirements. The extent of your audit will depend on the maturity level for which your organization wishes to be certified. Only a certified third-party assessment organization (CP3AO) is qualified to perform a CMMC audit.

The assessor will first speak with you to determine your needs and will request any documents required to evaluate your controls protecting FCI or CUI.

These documents may include diagrams of your environment, risk assessments, data from vulnerability scans, and a list of in-scope controls. Next, the assessor may evaluate your controls to ensure they’re working, and issue a report of findings. If you fail the audit, you will be able to correct deficiencies and try again.

Maintain CMMC Compliance with ZenComply

CMMC compliance is so complex, especially for organizations requesting certification for maturity Level 3, that using spreadsheets to track and document the process shouldn’t even be entertained.

A plethora of templates, frameworks, and other tools are publicly available to help you with CMMC and NIST 800-171 compliance and are a good place to start. Or you could relax and let quality governance, risk, and compliance software such as Reciprocity ZenComply do the heavy lifting for you.

Reciprocity’s ZenComply has everything you need to comply with NIST 800-171 and CMMC. Our user-friendly software uses color-coded dashboards to show where you’re compliant and where you fall short and tells you how to fill gaps.

ZenComply tracks your workflows so you always know the status of each compliance task, generates surveys for your vendors to track their compliance, and compiles their responses.

ZenComply also conducts unlimited, in-a-click self-audits so you can be ready for your C3PAO assessment. Using our ZenConnect plugin, it integrates with all your workplace applications to collect evidence for your CMMC audit and keeps them in a “single source of truth” repository for easy retrieval.

If you’re handling FCI or CUI for DoD projects and want to be assured of keeping your lucrative contracts, you’re going to need a high-tech solution to juggle all the many tasks involved – all so you don’t have to. Your worries allayed, you’ll be free to focus on keeping your business safe and secure.

Worry-free CMMC compliance is the Zen way. Contact us today for your free consultation.