CMMC

The CMMC was developed to address the increasing cybersecurity threats targeting the Defense Industrial Base (DIB) and the inconsistent implementation of security requirements by defense contractors. Previously, contractors self-attested to their compliance with NIST SP 800-171, leading to gaps in actual security posture. CMMC replaces this self-attestation model with verified assessments.

CMMC 2.0, finalized in late 2024, streamlined the original five-level model into three levels. Level 1 (Foundational) requires basic cyber hygiene practices and allows self-assessment for contracts involving only FCI. Level 2 (Advanced) aligns with the 110 controls in NIST SP 800-171 and requires third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) for contracts involving CUI. Level 3 (Expert) aligns with a subset of NIST SP 800-172 enhanced security requirements and requires government-led assessments.

The certification requirement is being phased into Department of Defense contracts through a four-phase rollout. Once fully implemented, contractors will need to achieve the appropriate CMMC level before being awarded contracts that involve CUI or FCI. This applies to all organizations in the defense supply chain, including subcontractors.

Achieving CMMC compliance requires organizations to develop and document a System Security Plan (SSP), implement required security controls, create a Plan of Action and Milestones (POA&M) for any gaps, and undergo assessment. The cost and timeline for achieving compliance can be significant, particularly for small and medium-sized businesses in the defense supply chain.