If your firm is a government contractor working with the U.S. Department of Defense, or works anywhere in the DoD supply chain, brace for big changes in the cybersecurity requirements your business will need to meet.

By 2026, the Defense Department will require its contractors to comply with new cybersecurity standards known as the Cybersecurity Maturity Model Certification — CMMC, for short. Those new standards will be substantially different from existing cybersecurity standards established by NIST, the National Institute of Standards and Technology.

That shift from NIST standards to CMMC will affect more than 300,000 companies that are part of the DoD supply chain somehow. This guide compares the CMMC and NIST frameworks, and explains why defense contractors and others need to be aware of the change to come. The migration to CMMC will happen slowly, but the new model will be part of all defense contracts by 2026. So this isn’t something that can be ignored.

What is the NIST cybersecurity framework and when was it established? 

The NIST cybersecurity framework was released in 2014. The framework actually exists as several versions, and you’ll often hear the framework called by those version numbers: NIST 800-171 or NIST 800-53, for example. In our post today, we’ll simply refer to all of them collectively as “the NIST cybersecurity framework.”

The framework was developed by private and public contractors and other cybersecurity stakeholders; and it established cybersecurity standards across industries so all business parties could “speak the same language” while trying to protect sensitive data. The framework was so well received that it was ratified when Congress passed the Cybersecurity Enhancement Act of 2014, and also became a frequently applied international standard. 

According to NIST’s website, companies such as JP Morgan, Boeing, and Microsoft use the NIST cybersecurity framework to protect against cyber threats, help identify specific areas of risk in their information systems and networks, and generally keep their cybersecurity standards current. The NIST cybersecurity framework establishes standards for cybersecurity practices and requirements, yet it’s important to remember that compliance is voluntary. 

What is CMMC and when was it established? 

The Cybersecurity Maturity Model Certification (CMMC) was created by the Defense Department and released in early 2020. The focus of CMMC is better protection of what’s called “controlled, unclassified information,” or CUI. That includes data generated by a government agency (tax or permitting information, for example), as well as immigration, export, nuclear and law enforcement records, just to mention a few examples.

In the fall of 20202 the Defense Department began asking some of its contractors to provide CMMC documentation, but it will still be several more years before the DoD requires CMMC compliance as a standard part of all its contracts. The goal is universal CMMC compliance by 2026.

What are the biggest differences between CMMC vs NIST compliance? 

The biggest difference is that CMMC uses a maturity model — levels of cybersecurity sophistication that contractors may qualify for via a third-party review. Think of the maturity model as a set of tests, where you must pass one maturity test before you can proceed to the next maturity level. (Akin to college courses, where you need to pass Physics 101 before you can take Physics 201.)

CMMC has five maturity levels:

  • Level 1. This is the lowest level, a set of basic cybersecurity requirements and  expectations. This level focuses on protecting federal contact information (FCI) as well as controlled unclassified information (CUI), through basic computer hygiene. Processes are performed but not documented by the contractor. 
  • Level 2. Cybersecurity requirements are met, measured, and documented to show that the contractor is implementing CMMC. This is an intermediate level where contractors begin to document their processes. 
  • Level 3. Cybersecurity practices are actively managed and assessed to show compliance. The contractor must present a CMMC implementation plan (complete with staff training programs and milestones) to show that CMMC cybersecurity compliance has been reached. 
  • Level 4. This level includes a requirement that subcontractors review their practices and measure whether they meet required levels of cybersecurity, and that they can take appropriate action if those measures fall short. 
  • Level 5. This is the highest level of CMMC compliance, where contractors are expected to adhere to CMMC Level 5 standards in all departments and every process. 

Why is CMMC more secure than NIST?

CMMC is more rigorous than NIST in several ways. 

First, compliance with the NIST cybersecurity framework is voluntary. By 2026, CMMC compliance will be required of all Defense Department contractors. That change alone will boost cybersecurity, because every contractor will need to obtain CMMC accreditation for a maturity level that matches the sensitivity of the data handled. 

This means contractors with weak cybersecurity standards — weak enough to leave DoD data at risk — will no longer be allowed to handle sensitive data until they upgrade their cybersecurity to an appropriate CMMC level. 

Second, to obtain CMMC accreditation, a contractor must work with the CMMC Accreditation Body (CMMC-AB) which is an independent group of third-party assessment organizations (C3PAOs) that review each contractor before a CMMC maturity level is assigned.

Third-party review helps to assure strict adherence to CMMC. Contractors found to be in noncompliance won’t be able to retain their contracts. 

Only C3PAOs that are accredited by the CMMC-AB can perform CMMC assessments. The system is organized in such a manner that a defense contractor can move up through the levels from one to five, if that contractor has a good plan of action and meets expectations at each maturity level. 

Is CMMC certification free? 

No, it’s not. The cost fluctuates depending on the desired maturity level, the complexity of the processes that the specific contractor is seeking to perform, the size of the company, and other market forces. 

Once CMMC certified, the certification process will have to be repeated every three years. 

What businesses or organizations would need to comply with CMMC?

If your company holds a Defense Department contract, or is part of the supply chain for such a contract, then you should apply for CMMC accreditation. By some estimates, the migration from NIST to CMMC is expected to affect more than 300,000 businesses. 

CMMC certification will be required for all organizations that are part of the Defense Industrial Base (DIB), including companies that provide legal, statistical or tax services to the government. CMMC certification aims to provide better protection of controlled unclassified information — but even companies that don’t manage or produce CUI, but do hold federal contracts, will be required to meet CMMC Level 1. 

Can I get a DOD contract without being CMMC compliant?

Right now, at the beginning of 2021, the answer is still yes; most contractors don’t need to demonstrate compliance with CMMC yet. But the Defense Department will sweep more and more contractors into CMMC compliance with every passing year, until all contractors will need to be CMMC compliant by 2026. 

This all means that if your line of business falls within the defense industrial base, you’ll need to be CMMC-compliant soon enough. The sooner you achieve compliance, the easier it will be for you to keep bidding on DoD contracts. (The good news is that every DoD request for proposals will specify which level of CMMC accreditation a contractor will need to have to be eligible to bid on the project.) 

How soon must my business be compliant with CMMC?

The Department of Defense is planning a slow rollout of CMMC requirements over the next five years, culminating with full compliance by 2026. 

What happens if we are not compliant with CMMC?

Companies that aren’t in compliance with CMMC will have an increasingly difficult time competing for DOD contracts, until they become ineligible by 2026. 

Here’s a great list of answers to key questions that may help determine where your company falls in the CMMC certification process. 

Cybersecurity and compliance management tools

Achieving CMMC compliance will be an onerous task. Compliance officers will need to conduct extensive risk assessments; remediate any number of controls; introduce new policies and procedures; and document all manner of the work you do. 

ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.

How to Upgrade Your Cyber Risk
Management Program with NIST