What is the CMMC Standard?
The CMMC certification methodology was developed by the Department of Defense (DoD) to ensure that contractors have safeguards in place to secure sensitive data, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC provides a structured approach to assess and certify the cybersecurity practices of organizations, ensuring they meet specific security requirements. It is a mandatory standard for companies wishing to bid on DoD contracts involving sensitive information.
The DoD introduced CMMC 2.0 in November 2021, simplifying the original framework by replacing the five-level model with three levels of cybersecurity maturity. This update followed an internal review of the program, which included over 850 public comments to improve clarity and implementation.
In October 2024, the DoD published the final rule for CMMC 2.0, solidifying its structure and requirements. This rule clarified assessment types, introduced a phased implementation plan, and set December 15, 2024 as the effective date for the updated framework. The changes aim to ensure consistent application of cybersecurity practices across the Defense Industrial Base (DIB) while providing flexibility for contractors through self-assessments and Plans of Action and Milestones (POA&Ms) where applicable.
The CMMC 2.0 framework consists of three levels of cybersecurity maturity, each building upon the previous level, and aligning with NIST SP 800-171 and NIST SP 800-172.
What Changes in CMMC V2.0?
- Three levels instead of five levels
In the previous model (V1.02), there were five maturity levels; however, the new model has only three.
Levels 2 and 4 were eliminated from the new model. Level 1 remains unaltered and still includes 15 basic cybersecurity practices, which correspond to FAR 52.204-21.
The former Maturity Level 3 has been replaced with the new Maturity Level 2, which aligns with the 110 practices from NIST SP 800-171.
Level 3 is based on the practices outlined in NIST SP 800-171, with additional advanced practices from NIST SP 800-172 to address persistent threats. It replaces the previous Maturity Levels 4 and 5.
- Plan of Action and Milestones (PoAM)
The DoD now accepts Plan of Action and Milestones (POA&M) reports as part of the certification process. A POA&M is a documented plan that outlines how an organization will address any unmet cybersecurity requirements. This flexibility enables contractors to begin work on certain contracts even if they have not fully implemented all required practices, provided they have a clear and actionable plan to close these gaps within specified timeframes.
However, not all gaps are eligible for inclusion in a POA&M. CMMC High Priority Requirements must be fully implemented before certification can be granted. The use of POA&Ms provides a phased approach to compliance while ensuring that contractors prioritize critical security measures for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Assessment for Organizations
Level 1 certifications are now subject to self-assessments.
For Level 2, contractors handling non-critical CUI may also use self-assessments. However, those handling critical CUI (related to national security) will need third-party assessments conducted by accredited C3PAOs (Certified Third-Party Assessment Organizations).
Level 3 certification will be assessed by government officials, most likely through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
What are the requirements for CMMC?
- Level 1 – Foundational:
- Designed for contractors handling FCI.
- Includes 15 basic cybersecurity practices such as access control and incident response, based on FAR 52.204-21.
- Requires annual self-assessments uploaded to the Supplier Performance Risk System (SPRS).
- Level 2 – Advanced:
- Applies to contractors handling CUI.
- Requires compliance with 110 practices aligned with NIST SP 800-171.
- Divided into two pathways:
- Self-Assessment Pathway for non-critical CUI contracts.
- Third-Party Assessment Pathway for critical CUI contracts, conducted every three years by a C3PAO.
- Level 3 – Expert:
- For organizations handling the most sensitive information.
- Requires compliance with 110 practices aligned with NIST SP 800-171plus 24 advanced practices aligned with NIST SP 800-172 to address persistent threats.
- Requires government-led assessments by DIBCAC.
Why should you be CMMC compliant?
For businesses who wish to do business with the US Department of Defense, CMMC is a new prerequisite. It requires verification of contractor security and demands that all companies in their supply chain handle their partners with the same diligence.
The CMMC serves as a verification to see whether DIB organizations are using acceptable cybersecurity policies and procedures to secure Federal Contract Information (FCI) and Regulated Unclassified Information (CUI) on their unclassified networks.
Non-compliance will hurt your company’s profit margins, as contractors who do not pass the certification will be unable to bid on DoD projects.
How to achieve CMMC certification?
Companies that need to comply with CMMC will find it highly beneficial to utilize the Centraleyes automated GRC platform.
Through the Centraleyes platform, organizations can gain full visibility into their cyber risk levels and compliance status. The platform features an integrated CMMC questionnaire with an intuitive follow-up system to help track and remediate vulnerabilities, streamlining the path to compliance. Additionally, it provides the option to download POA&Ms. The SSP required for SPRS submission is automatically generated, and the scoring for SPRS is calculated automatically by the platform.
Read more:
