By the year 2026, organizations wishing to do business with the Department of Defense (DoD) must have Cybersecurity Maturity Model Certification (CMMC). The new CMMC framework applies to all prime contractors and subcontractors in the Defense Industrial Base (DIB), which consists of more than 300,000 organizations.
What is CMMC?
CMMC is a coordinated response to persistent attacks on the DoD supply chain, an attractive target for bad actors seeking defense-related, controlled unclassified information (CUI).
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) and other institutions developed CMMC to combine cybersecurity best practices and processes from NIST SP 800-171,and other standards and organizations, into one cohesive model.
In November 2020, the DoD issued an interim rule that amended the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC and added DFARS clause 252.204-7021, which sets forth CMMC’s requirements.
CMMC preparation can take several months. So, contractors should not delay in getting started on their certification journey. A qualified consultant can recommend best practices to facilitate compliance and minimize costs.
Once obtained, a contractor’s CMMC certificate is valid for three years. OUSD A&S maintains a CMMC FAQs page that provides more information and the latest developments.
The 5 Levels of CMMC
CMMC is a tiered model of five levels, each corresponding to a specific degree of cybersecurity maturity. The DoD is authorized to require multiple levels for a prime contractor and the subcontractors in their supply chain. Detailed information about the five levels is available here, but we’ve summarized them below:
| Level | Process | Practice |
| 1 | Performed | Basic cyber hygiene |
| 2 | Documented | Intermediate cyber hygiene |
| 3 | Managed | Good cyber hygiene |
| 4 | Reviewed | Proactive cyber hygiene |
| 5 | Optimized | Advanced/progressive cyber hygiene |
Independent Assessors are Required for Certification
Defense contractors must engage a CMMC Third-Party Assessment Organization (C3PAO) to certify their company’s cybersecurity standing at the appropriate level.
The DoD engaged the non-profit CMMC Accreditation Body (AB) to accredit C3PAOs independently. Before conducting CMMC assessments, C3PAOs must achieve CMMC Level 3 certification because assessment results require the same safeguarding as CUI.
More information about becoming a CMMC Certified Supplier is available on the CMMC AB’s website.
Contractors See Opportunities for Growth
Participants in the CMMC Certification Preparation Study consisted of a cross-section of 130 contractors in the DIB.
Across the board, 81 percent of respondents agree with the initiative’s goal to safeguard sensitive information, and 44 percent expect growth opportunities due to certification. In addition, 68 percent feel that taking swift action will give them an edge over competitors.
However, the study also highlight several potential complications.
A single DoD contract can require multiple levels of certification, complicating implementation for prime contractors and the subcontractors in their supply chain. Complications arising from the certification process could cause some contractors to exit the DIB, disrupting the supply chain.
Having enough C3PAOs to complete the inspections is crucial to the program’s success, and licensing new ones will need to keep up with the demand.
More than 75 percent of respondents in the CMMC study aim for Level 3 certification or above, indicating that contractors might need more guidance to know which CMMC level is appropriate for their organization.
Our Team Can Help
As a C3PAO and a Registered Provider Organization (RPO), MBL Technologies can help your organization achieve CMMC compliance through our advisory, remediation, and assessment services.
