CMMC

Cybersecurity Maturity Model Certification (CMMC) often gets framed as a mandatory hurdle for Department of Defense (DoD) contracts, but that view misses the larger picture. In a threat environment where one compromised subcontractor can disrupt an entire program, the CMMC 2.0 framework serves as a blueprint for operational discipline and long-term viability.

Many contractors approach CMMC compliance like a box-checking event instead of an ongoing discipline, and that mindset often leads to outdated evidence, neglected controls, and avoidable surprises when an audit begins.

True CMMC alignment shifts security from reactive remediation to proactive risk reduction, protecting Controlled Unclassified Information (CUI) and supporting sustained profitability in the Defense Industrial Base (DIB).

In This Article: How CMMC 2.0 builds on NIST 800-171 to protect CUI across the defense supply chain, why static compliance fails under C3PAO and DIBCAC scrutiny. The legal and financial consequences of misrepresented cybersecurity posture, and how continuous monitoring and disciplined control implementation strengthen long-term contract eligibility within the Defense Industrial Base.

Understanding the Core of CMMC (Beyond the Levels)

CMMC is often reduced to a discussion about “what level do we need,” yet that framing overlooks its real purpose.

The NIST 800-171 Foundation

CMMC is not a parallel security universe; it is the DoD verification mechanism for confirming that contractors protect federal information at the level required by their contracts.

For Level 2, the technical foundation remains the 110 security requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 Rev. 2, assessed using NIST SP 800-171A-based procedures and the official DoD Level 2 Assessment Guide.

These requirements extend to nonfederal systems that handle CUI through processing, storage, or transmission, as well as any systems responsible for protecting those functions. That distinction matters because CUI protection isn’t limited to one server or enclave. It extends across users, vendors, cloud services, and supporting infrastructure.

When we conduct readiness reviews, scoping conversations often reveal that CUI flows farther than leadership realized. Correcting that early prevents unnecessary cost and audit friction later.

Institutionalizing Cyber Hygiene

CMMC 2.0 removed the old maturity processes from version 1.0; however, Level 2 still requires contractors to demonstrate that controls operate as part of normal business activity. Assessors capture findings at the assessment-objective level; a single unmet objective can cause an entire requirement to fail.

Security cannot live in a binder. You must be able to show that least privilege is enforced, multifactor authentication works, logs are reviewed, vulnerabilities are remediated. Incident response plans are exercised. That is the difference between policy statements and operational cyber hygiene.

Why the “Checkbox Mentality” Fails Contractors

Many contractors believe that passing an assessment equals being secure. That assumption creates risk; compliance documented once and left unattended quickly erodes under real-world operational pressure and shifting threat activity.

False Sense of Security

A system may look fully compliant in documentation while still containing real vulnerabilities when examined under actual operating conditions.

The DoD Office of Inspector General (OIG) reported in 2022 that assessed contractors didn’t consistently implement required controls for protecting CUI, with findings including weak password practices, unencrypted devices, and insufficient monitoring (DoD OIG, 2022).

Continuous monitoring separates active security from static documentation. Factors such as vulnerability management, privileged access review, encryption verification, and evidence freshness determine whether your controls actually reduce risk.

The Risk of Decertification

CMMC status is not permanent. Under the final rule, contractors must maintain the required level for the life of the contract and submit annual affirmations in the Supplier Performance Risk System (SPRS). Contracting officers are directed to verify their current status before award, option exercise, or extension.

Failure at a CMMC Third-Party Assessment Organization (C3PAO) assessment can delay eligibility. Level 2 allows conditional status with time-bound Plans of Action and Milestones (POA&Ms) in certain cases, but those POA&Ms must close within 180 days. Level 1 does not permit POA&Ms, and any lapse in your self-attested status can affect your eligibility for contracts that require Level 1 compliance.

At higher levels, government-led assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) introduce an additional layer of oversight beyond standard review processes.

The Cost of Inaction

Cyber risk now intersects directly with legal risk. The Department of Justice (DOJ) Civil Cyber-Fraud Initiative uses the False Claims Act to pursue contractors that knowingly misrepresent their cybersecurity posture.

The financial exposure extends beyond contract loss. According to the International Monetary Fund’s April 2024 Global Financial Stability Report. The risk of extreme losses from cyber incidents continues to increase, with such losses potentially causing funding problems for companies and even jeopardizing solvency. The size of extreme losses has more than quadrupled since 2017 to $2.5 billion, and indirect losses, including reputational damage and security upgrades, run substantially higher (International Monetary Fund, 2024).

Strategic Benefits of a Strong Security Posture

Security investments tied to CMMC often get framed as cost centers. In practice, organizations that operationalize their controls gain measurable business advantages that extend well beyond audit readiness.

Competitive Advantage

Prime contractors must flow down CMMC requirements to subcontractors at the appropriate level. They are not supposed to share Federal Contract Information (FCI) or CUI with a partner that lacks the required status. Strong CMMC alignment becomes a trust signal. It tells primes that you are less likely to introduce program delays or data handling issues.

In proposal discussions, we regularly see primes ask detailed questions about CUI segmentation, multifactor authentication coverage, and Continuous Monitoring cadence. Demonstrable discipline strengthens your selection prospects.

Supply Chain Resilience

CUI seldom stays confined to a single organization. As it regularly flows through collaborative workspaces, shared storage systems, and third-party service providers.

When your controls operate effectively, you reduce risk for the entire team. That makes you a more attractive teammate for large-scale Government programs where supply chain stability matters.

Streamlined Operations

CMMC mapping often reveals inefficiencies in IT governance. Common findings during gap analyses include:

• Over-scoped environments that increase compliance cost
• Inconsistent asset inventories
• Fragmented incident response ownership
• Inactive accounts left enabled
• Patch management delays

Addressing these issues improves security and clarifies operational accountability. Many clients report that after tightening CUI scoping and control ownership, their environments are simpler to manage and audit.

How Vaultes Elevates Your Security Posture

As a Veteran-owned cybersecurity firm and accredited FedRAMP Third-Party Assessment Organization with CMMC specialization, we approach readiness with discipline. A meaningful gap analysis answers practical questions:

• What data qualifies as FCI or CUI in your environment?
• Which systems and vendors are truly in scope?
• Which NIST 800-171 requirements function effectively today?
• What evidence would an assessor expect right now?
• Which gaps require remediation versus time-bound POA&Ms?

As a result, organizations encounter fewer surprises during assessment while leadership gains greater confidence going into formal evaluation.

Continuous Monitoring

Static compliance creates risk drift. We help clients build managed environments where logging, vulnerability scanning, privileged access review, and encryption verification occur on a defined cadence.

The goal of this initiative is simple: you should be ready on an ordinary Tuesday, not scrambling right before assessment week.

Expert Guidance Across Mandates

Federal contractors rarely deal with one framework in isolation. CMMC intersects with Federal Risk and Authorization Management Program (FedRAMP) requirements, NIST 800-53 control baselines, and broader Governance, Risk & Compliance expectations.

Our experience across CMMC assessments, FedRAMP advisory work, and NIST alignment allows us to translate overlapping mandates into a coherent operating model.

Preparing for the Future of Federal Contracting

CMMC is the new normal for organizations handling CUI within the Defense Industrial Base. Contractors who adopt it as a security philosophy build disciplined environments that support growth, while those treating it as a chore often struggle to maintain eligibility and confidence.

If you’re ready to convert CMMC compliance from a burden into a strategic asset, schedule a consultation with Vaultes today. We evaluate your current security posture, define the most practical path forward, and help reinforce the foundation needed to support stronger resilience over the long term.

For many defense contractors, CMMC feels like just another compliance hurdle. But the Cybersecurity Maturity Model Certification is more than a checkbox. It’s a framework that protects your business, strengthens your security posture, and keeps you competitive in the defense marketplace. Here’s what you actually get out of it.

It’s Required to Win DoD Contracts

The most straightforward benefit? Without it, you can’t work. If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC certification is now a prerequisite for bidding on and winning DoD contracts. Unlike the previous self-attestation model, CMMC requires independent, third-party validation.

Without certification, you risk losing contract eligibility, missing renewals, and even being removed from subcontractor roles. Simply put: no CMMC, no DoD work.

It Protects You from Real Cyber Threats

Defense contractors are high-value targets. Nation-state actors, ransomware groups, and intellectual property thieves actively go after companies in the defense supply chain and the government data you handle makes you even more attractive. CMMC isn’t just compliance – it’s operational protection.

Achieving certification means your organization has implemented:

• Access controls to limit who can reach sensitive data
• Encryption to protect CUI at rest and in transit
• Network monitoring to detect suspicious activity
• Incident response procedures to act quickly when something goes wrong

Prime Contractors Are Already Requiring It

Even if a specific contract hasn’t mandated CMMC yet, prime contractors are increasingly enforcing flow-down cybersecurity requirements on their subcontractors. If you want to stay in the supply chain, regardless of your company’s size, meeting CMMC standards is quickly becoming the cost of doing business.

It Reduces Legal and Financial Risk

Failing to protect CUI carries serious consequences beyond losing a contract. Companies that mishandle sensitive government information can face contract termination, False Claims Act liability, significant reputational damage, and costly breach recovery. A formal CMMC assessment validates that your controls are in place. That validation matters when it comes to demonstrating due diligence.

It Strengthens Your Competitive Position

Certification isn’t just about staying eligible, it’s also a differentiator. Companies with CMMC certification stand out in competitive bids, demonstrate a mature cybersecurity posture, and build trust with federal customers. For small and mid-sized contractors especially, certification can be the edge that wins work.

So When Should You Get Certified?

The short answer: now. If you work with the DoD, plan to bid on DoD contracts, or handle CUI, you should be preparing today. Certification can take several months, and waiting until it’s written into a contract can create costly delays or put your eligibility at risk. If you’re already complying with NIST SP 800-171, CMMC Level 2 is likely your next step.

Vaultes is an authorized C3PAO with deep experience in security assessment. Whether you’re starting from scratch or ready for your formal evaluation, we’re here to help you get certified and stay competitive.

Cybersecurity Maturity Model Certification (CMMC) is a framework that was developed by the Department of Defense to protect Federal Contract Information and Controlled Unclassified Information at every step in its supply chain. The main objective of the CMMC framework is to assist organizations in determining whether their current cybersecurity practices are secure and efficient. The CMMC certification process allows organizations to identify security gaps and find better ways to optimize their processes.

When the rulemaking is finalized, all government contractors working on defense-based contracts must achieve a CMMC certificate at a specified level, as determined by the type of data in which your organization comes in contact. Most companies that require a Level 2 certification and all companies that require a level 3 certification will require an audit from a CMMC-Certified Third-Party Assessment Organization, or C3PAO.

A C3PAO it has gained authorization from the Department of Defense and the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) to perform official assessments of the maturity level and cybersecurity environment of organizations contracting with the Department of Defense.

Organizations requiring Level 2 and Level 3 certifications are required to work with accredited C3PAOs to prove they are compliant with a specific CMMC level prior to gaining certification. Furthermore, companies requiring Level 3 certification will undergo a joint assessment between a C3PAO and the Department of Defense in order to protect the information most sensitive to national security.

IT companies must undergo a rigorous CMMC-AB certification process to become a C3PAO. Those that are approved have the authorization to audit organizations that are applying for a CMMC certification to verify they have implemented effective cybersecurity controls and sufficient security to protect highly sensitive data.

A Memorandum Of Understanding that was signed by the CMMC-AB in 2020 states that the Department of Defense will only work with those organizations that have been certified by an official C3PAO or an assessor accredited by the CMMC-AB. Every Defense Industrial Base organization will be required to obtain at least CMMC Level 1 in order to fulfill its contractual obligations with the Department of Defense.

Selecting The Right C3PAO

Successfully achieving the required Cybersecurity Maturity Model Certification depends on two main factors: the organization’s capability of integrating the required cybersecurity practices into its culture and the selected C3PAO’ss ability to help attain this goal.

Therefore, it is essential to take the time to choose a C3PAO carefully. Although the budget is often a primary concern for contractors, there are many other factors that must also be weighed when deciding on an assessor organization. Outlined below are some of the most important considerations when selecting a CMMC Third-Party Assessment Organization.

Choose An Assessor Who Has A Cyber Security Background

Contractors should look for an assessor who has a strong background in cyber security. Some general IT services companies have made the effort to acquire C3PAO certification, but it is best to opt for a cybersecurity specialist business that has the right skills and knowledge to deliver the certification in the most efficient manner possible.

Companies dedicated to cybersecurity will work with specialist knowledge and experience in the broader application of cybersecurity, not only for the CMMC certification but for the organization as a whole. This means they will likely be more effective at analyzing gaps in the contractor’s security and will have a greater understanding of how the needs of the Department of Defense and the contractor can both be met efficiently. They can also help an organization to improve its processes and introduce any protocols necessary to enhance threat detection and cyber attack prevention.

Hire A C3PAO That Communicates Well

When interviewing potential C3PAOs, it is important to note how well they communicate. CMMC regulations are complex and highly technical, and many contractors struggle to understand the details. Choosing an assessor who explains processes and terminology clearly and patiently will lead to a better experience overall. This is particularly important when it comes to understanding the maturity level that the contractor must achieve, as there may be a lot of back-and-forth communication during this stage regarding the type of data in the contractor’s environment and information about how and where it is stored.

Consider Their Knowledge Of Other Frameworks

Another quality that contractors should look out for in assessors is previous experience with the specific frameworks that the CMMC model is based upon. These are the NIST 800-171 and the Defense Federal Acquisition Regulation, or DFARS.

Although the CMMC model takes some of its aspects from other frameworks and regulations, experience with NIST 800-171 and DFARs are the main regulations to look for. This type of background knowledge will make an assessor better informed on how to help a contractor meet the relevant requirements.

Look For Experience With Companies In The Contractor’s Industry

It is important for contractors to keep in mind that companies working in different industries are typically exposed to different types of threats and will therefore require different data protection measures. An assessor who has expertise in the contractor’s specific industry will generally have an easier time resolving the types of security problems that arise in that industry. Previous experience also makes it less likely that there will be misunderstandings or the assessor will overlook something important.

Consider How Many CMMC Assessments A C3PAO Has Completed

One good way of gauging a C3PAO’s competence when it comes to certifying and auditing organizations is its previous experience. C3PAOs that have completed a high number of CMMC assessments in the past will have the familiarity needed to get the task done quickly and correctly.

Choose An Assessor With A Well-Rounded Offering

Although it is essential for assessors to be able to provide contractors with assistance gaining CMMC certification, it is also important to choose an organization with a well-rounded offering that includes the following components:

CMMC Readiness Assessments

An initial readiness assessment is the best way to determine where an organization stands when it comes to CMMC compliance before the official assessment gets underway. A good C3PAO will offer a readiness assessment so they can gain a clearer picture of any new processes that need to be developed or implemented to help the contractor reach their compliance objectives.

CMMC Gap Assessments

After identifying a contractor’s CMMC readiness status, a gap analysis should be carried out to gain a deeper understanding of the cybersecurity practices they have in place that need to be improved. This assessment might also entail the implementation of new procedures and policies to help the organization be more competitive in its field.

CMMC Assessments

The CMMC assessment is the main process that will determine the contractor’s ability to win and retain contracts with the Department of Defense. All assessors will offer this component, which verifies that the organization is in full compliance with its targeted maturity level. The assessor’s official report will be submitted to the DoD. A C3PAO that has supported your organization with advisory or readiness services cannot also conduct your audit due to the conflicts of interest it would present.

CMMC Remediation Services

It is important to keep in mind that CMMC is a constantly evolving process, with the requirements changing periodically. Choose a C3PAO that offers assistance in remaining compliant with CMMC well beyond the original assessment and adapting to any changes to the regulations that are issued by the federal government in the future.

Look Into The Assessor’s Reputation

When hiring an assessor, it is important for contractors to consider their reputation. Asking for references and inquiring with them about their experience is one good way to assess their reputation. Obtaining C3PAO certification requires extensive training and vetting by the CMMC-AB, but there can still be significant variations in areas of expertise, company commitments, or levels of communication among assessment organizations, which you will want to verify through interviews or client recommendations.

Ask For Credentials

Organizations should ask to see the credentials of the staff members who will be performing their assessments and verify that they are current. A qualified and accredited C3PAO should be able to provide DoD clearances such as Department of Homeland Security Suitability and an active National Agency Check. Contractors may also find it beneficial if the assessor possesses additional credentials, such as Certified Information Systems Security Professional (CISSP) and Microsoft Certified Professionals.

Inquire About The Expected Delivery Time

Although it is best to avoid assessors who rush through the process, it is important to choose a professional who is able to help a contractor achieve compliance in a reasonable time frame. The quicker an organization can become certified, the faster they will be able to bid on new contracts with the Department of Defense.

Therefore, it is essential to discuss the delivery time with potential assessors and determine whether it is sufficient for providing an effective assessment and certification process while meeting any bidding and other DoD deadlines. The projected auditing schedule and the assessor’s current backlog will be major factors in this timeline.

Look For An Assessor Who Is Transparent About Pricing

Although price should not be the main consideration when choosing an assessor, it is nevertheless an important factor for many contractors. Therefore, it is essential to choose an assessor who is transparent about their pricing structure. C3PAOs are free to set their own assessment fees, and these will typically vary depending on the desired CMMC certification level.

These fees cover costs that the C3PAO is responsible for, such as time and labor for the highly-qualified personnel assigned to the engagement.The fees will generally also cover any travel associated with the certification process of your organization. .

Reach Out To The CMMC Compliance Audit Professionals At Vaultes

If you are unsure whether CMMC applies to your organization or the DoD has sent you a CMMC compliance request, get in touch with the cybersecurity consultants at Vaultes. As a certified C3PAO, we can offer CMMC assessments at all levels to a broad range of contractors. Our staff includes top assessors in the industry who possess the training and certification needed to carry out these essential certifications and other assessments that can bolster your organization’s cybersecurity.

As one of the first C3PAO candidates, we have the knowledge and experience needed to carry out CMMC readiness, gap assessments, and remediation services for the Defense Industrial Base and government contractors. Reach out today to discuss your needs and schedule an assessment.

In November 2021, the Defense Department’s unified cybersecurity program for contractors was overhauled, with many of the program’s elements streamlined to make the process easier to understand. Although the goals of the initial CMMC program were ambitious, implementing version 1.0 was expensive and resulted in many smaller businesses being forced out of the Defense Industrial Base (DIB).

The new model shows a refocusing on the Controlled Unclassified Information (CUI) that the Department of Defense has determined is critical to investing time and resources in protecting.

Although further changes are not out of the question, it appears that 2022 will largely be a year of realignment for contractors as well as those tasked with ensuring and assessing compliance.

Here is a look at the basics of CMMC certification and assessment in 2022.

Who Needs CMMC Certification?

The rules have not changed regarding who must obtain CMMC certification. Any company that works as a contractor or subcontractor with the U.S. Department of Defense (DoD) must prepare to meet the requirements of CMMC if they wish to bid on and win contracts.

In addition, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) that have clients who are part of the DoD supply chain and have access to their systems, network infrastructure or data will also need to uphold CMMC requirements.

For those further down the supply chain, the level of CMMC compliance needed will depend on how information flows from the prime contract to the third party.

All DoD contracts exceeding a micro-purchase threshold of $10,000 must have achieved CMMC certification by October 1, 2025.

What Level of CMMC Must I Meet?

The level of CMMC compliance an organization must meet is largely determined based on the amount of contact they have with Controlled Unclassified Information, or CUI, and the nature of that CUI. This may include things like:

• Weekly status reports
• Test reports
• Time – Compliant Technical Orders (TCTO)
• Program Protection Plans (PPP)
• Software source code
• Shipping locations

One important change to note is that CMMC 2.0 streamlines the model from five compliance levels to just three. The new model removes the previous Levels 2 and 4. CMMC Maturity Level 1 remains unchanged and still contains 17 practice requirements aligning with the 15 cybersecurity practices outlined in FAR 52.204-21.

However, the new Maturity Level 2 is replacing the previous Maturity Level 3 and will be aligned with the 110 practices outlined in NIST SP 800-171. The new Maturity Level 2 will no longer include the Delta 20 Practices.

The new Maturity Level 3, meanwhile, will take the place of the previous Maturity Levels 4 and 5 and is being developed based on a subset of NIST 800-172.

It is important to note that CMMC compliance does not have to extend to every element of the organization; it only needs to cover networks and information systems where CUI is created, processed, transferred or stored.

CMMC Assessments in 2022

The Department of Defense uses regular cybersecurity assessments of its contractors to gain assurance that all of the sensitive information that is shared with the Defense Industrial Base is sufficiently protected.

Here is what you need to know about CMMC assessments under CMMC 2.0.

Overview of Assessments

Under CMMC 2.0, tiered assessment requirements are used depending on the sensitivity of information that is shared with the contractor. Here is a look at who is responsible for assessments under CMMC 2.0:

• Contractors handling information that is deemed critical to national security and falling under Level 1 and a subset of Level 2 must perform annual self-assessments using clearly defined cyber security standards.
• Contractors who manage information considered critical to national security and falling under a subset of Level 2 must undergo third-party assessments.
• The most critical defense programs of Level 3 must undergo government-led assessments.

CMMC Self-Assessments

One of the most important changes in CMMC 2.0 is the changing of Level 1 certification, which covers basic cyber hygiene, to self-attestation, eliminating the need for undergoing outside assessments. Nevertheless, many contractors will still need to enlist the help of outside cyber security services to help them achieve compliance.

The Department of Defense sees Level 1, known as the Foundational Level, as a way of engaging contractors in developing or strengthening their cybersecurity approach. This level does not involve handling any sensitive national security information, so the DoD is now allowing companies to assess their own cyber security measures and introduce practices aimed at averting cyber attacks.

A subset of programs that have Level 2, or Advanced, requirements that do not involve information critical to national security, and their associated contractors, can also carry out self-assessments.

These self-assessments must be conducted on a yearly basis and carry affirmation from a senior official with the company that they are meeting the requirements. Companies will be required to register their self-assessments and affirmations in the Department of Defense Supplier Performance Risk System, or SPRS.

Third-Party Assessments

When CMMC 2.0 is fully implemented, contractors who fall under a subset of acquisitions that require Level 2 advanced cyber security standards because they handle information critical to national security must obtain third-party CMMC assessments.

The CMMC Accreditation Body, or CMMC-AB, will be in charge of accrediting CMMC Third-Party Assessment Organizations (C3PAOs) following their assessment from DoD. The accredited C3PAOs will be listed in the CMMC-AB marketplace.

Every organization that must meet these requirements is fully responsible for planning its assessment. Once it has been completed, the C3PAO will supply the Department of Defense with the assessment report.

Government Assessments

Organizations that must meet Level 3, or Expert, cyber security requirements must be assessed by government officials. The specific requirements are currently being developed.

Key Changes Introduced By The CMMC 2.0 Framework

Here is a look at some of the biggest changes that were introduced by the CMMC 2.0 framework.

Assessments

Under CMMC 1.0, all DoD contractors were required to undergo third-party assessments to assure CMMC compliance.

In CMMC 2.0, however, most contractors associated with the Foundational Level 1 and a subset of Advanced Level 2 programs will be permitted to carry out annual self-assessments using a self-assessment guide that is very similar to the NIST 800-171A.

Some experts have noted that contractors who do not have a strong security background will likely struggle to conduct the self-assessment on their own. Those with a lack of familiarity with cyber security may not be able to determine their boundary, implement the right controls and carry out a thorough self-assessment and will therefore need help from cyber security specialists.

In the self-assessment of a CMMC practice, there are one of three possible findings: Met, Not Met and Not Applicable. In order to demonstrate compliance with CMMC Level 1, contractors need to achieve a finding of either Met or Not Applicable on all of the Level 1 practices.

Not Applicable is appropriate when a practice does not apply for the self-assessment. For each practice that is marked as Not Applicable, a statement must be included explaining why the practice in question does not apply to this contractor. For example, SC.L1-3.13.5 could be considered Not Applicable if the contractor does not have any publicly accessible systems.

However, a portion of the Advanced Level 2 programs must undergo triennial third-party assessments. The Level 2 assessment guide is more complex and involved. Assessors and assessor organizations enlisted to support Advanced Level 2 companies receive their certifications and must be accredited by the CMMC-AB. Documentation and other types of proof will need to be presented by contractors to demonstrate that they are meeting security controls.

Meanwhile, Expert Level 3 programs need to undergo triennial assessments that are carried out by government officials. Further clarification is forthcoming, specifically regarding whether C3PAOs will assess the NIST 800-171 controls with the government-led portion being responsible for assessing the NIST 800-172 portion.

Assessment Ecosystem Oversight

Under CMMC 1.0, the Department of Defense reviewed CMMC-AB Conflict Of Interest policies. With CMMC 2.0 implementation, the DoD will approve CMMC-AB policies related to Conflict Of Interest that apply to the CMMC ecosystem.

Plans Of Action And Milestones (POA&Ms)

Before CMMC, organizations were allowed to delay their implementation of NIST 800-171 requirements if they were able to demonstrate that they intended to implement the controls on a specific date in the future. However, CMMC 1.0 took away the ability to have POA&Ms for practice requirements at the assessed maturity level.

With CMMC 2.0, POA&Ms are once again permitted on a limited basis. The highest weighted requirements on the SPRS point scale need to be fully implemented at the time of the assessment, however. The Department of Defense plans to publish a minimum SPRS score to support certification with POA&Ms.

This marks a retreat from the Pass Or Fail model used under CMMC 1.0 and allows organizations seeking certification the flexibility to pass certification assessments without implementing all of the required practices as long as they use POA&Ms that adhere to guidance that has yet to be issued.

Although this can be helpful in some circumstances, it is important to keep in mind that only a portion of the requirements will allow POA&Ms and it is unlikely to apply to the higher weighted requirements that tend to be the most difficult and expensive to implement.

Get In Touch With The Cybersecurity Professionals At Vaultes

Cyber security threats are constantly emerging and evolving, and it can be difficult for many Department of Defense contractors to stay on top of the latest compliance regulations.

At Vaultes Enterprise Solutions, our cyber security professionals are well-versed in the latest CMMC 2.0 requirements and can help your organization navigate the complex regulations in order to ensure compliance. We can review and explain the new policies to your organization and help you conduct a self-assessment or prepare for an official assessment to ensure that you will be able to maintain your government contract work under CMMC 2.0. Reach out today to discuss your organization’s needs.

The Cybersecurity Maturity Model Certification (CMMC) was created as a way to protect the defense industrial base from frequent, complex cyberattacks. The unified standard was initiated by the DoD in response to serious compromises of sensitive defense information that supports the warfighters.

Version 1.0 of the Cybersecurity Maturity Model Certification was released by the DoD on January 31, 2020. This highly-anticipated program was drafted with substantial input from the University Affiliated Centers and Federally Funded Research and Development Centers. Before the release of version 1.0, contractors were tasked with implementing, certifying and monitoring the security of their information systems, as well as sensitive information stored and transmitted on these systems.

On November 4, 2021, CMMC version 2.0 was released. Along with news of the release, a document was posted on the federal register that outlined several key points about DoD requirement modifications that differ from the first version. One of the biggest changes was the consolidation from 5 levels to 3 levels.

What Is CMMC Version 2.0?

The launch of CMMC 2.0 has arrived after an internal DoD review of the program that first started in March 2021. The new strategic direction was taken based on industry feedback of the interim DFARS rule. CMMC version 2.0 is expected to have a significant impact on the defense industrial base (DIB) and cause far-reaching implications across the CMMC ecosystem.

With the release of CMMC 2.0, it is clear that the cybersecurity compliance program has been pared down in both scope and expectations. Version 2.0 no longer requires every contractor to obtain third-party certification if they do not come in contact with controlled unclassified data. This is a major change that could ultimately decrease the cost of compliance for many contractors.

CMMC 2.0 is expected to significantly strengthen the cybersecurity of the DIB. These updates aim to support businesses in the adoption of cybersecurity practices needed to eliminate the barriers to compliance. Under the new CMMC model, the total number of security tiers has been reduced from five to three, and some novel maturity practices have been completely removed from the standard.

Defense contractors are most likely to feel the effects of CMMC version 2.0. However, they are not the only group that will be impacted by these changes. Consultants, accessors, trainers and many other cyber experts were expecting to help meet the demand of more than 300,000 defense contractors who currently conduct business with the DoD. With changes in version 2.0, the majority of contractors who do not work directly with sensitive programs will only be required to undergo level one assessment.

What are the 3 Levels of CMMC 2.0?

In CMMC version 1.0, levels 2 and 4 were developed as transition levels. Version 2.0 of the Cybersecurity Maturity Model Certification has done away with these two levels, leaving behind just three levels. These include:

Level 1 (Foundational Level)

Level 1 of CMMC 2.0 is referred to as the ‘foundational’ level. This level only applies to organizations that possess federal contract information (FCI). It does have similarities to level 1 of CMMC 1.0 and focuses on the protection of FCI to protect covered contractor information systems and to limit access to sensitive information by authorized users. CMMC 2.0 level 1 is based on a total of 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contract Information.

Level 2 (Advanced Level)

The second level of CMMC 2.0 is called the ‘advanced’ level and targets organizations that work with CUI. This level is comparable to level 3 of CMMC 1.0. CMMC 2.0 level 2 requirements include those found in NIST SP 800-171 but eliminate all maturity processes and practices that were unique to CMMC. Level 2 now aligns with 14 control families and 110 security controls that were developed by the National Institute of Technology and Standards (NIST) to keep sensitive information safe.

Level 3 (Expert Level)

The third and final level of CMMC version 2.0 is the ‘expert’ level. Level 3 focuses on decreasing the risk from Advanced Persistent Threats (APTs) and is suitable for organizations that work with high priority CUI, meaning it is critical to national security. This level is comparable to level 5 of CMMC 1.0. While the DoD continues to determine the specific security requirements for CMMC 2.0 level 3, it is expected that these requirements will be based on the 110 controls on NIST SP 800-171, as well as the subset of NIST SP 800-172 controls.

What Changes Occurred with CMMC 2.0?

The Department of Defense has stated that the rulemaking process is expected to take between nine and 24 months. Due to these ongoing rulemaking efforts, the DoD has temporarily suspended all mandatory CMMC certification and pilot efforts. During this time, the DoD will not approve the inclusion of any CMMC requirement until the rulemaking has been completed. Currently, the DoD is considering whether to provide contractors with incentives to voluntarily attain their required CMMC level before the completion of the rulemaking process.

Before getting started with CMMC 2.0 compliance, it is important to understand what changes have occurred since the first version’s release. Here is a look at these changes and the impact they have had on the industry.

Change 1: From 5 to 3 Compliance Levels

The most noticeable change of CMMC 2.0 is the simplification of the maturity model from five compliance levels to just three. Maturity level 1 remains unchanged with 17 practice requirements that reflect the cybersecurity practices found in FARS 52.204-21. CMMC level 2 takes the place of the previous level 3 but is absent of the delta 20 practices, which aligns this level with 110 practices of NIST SP 800-171. Level 3 takes the place of the previous maturity levels 4 and 5 but is still under development.

The biggest impact from the change from five to three compliance levels is the removal of the delta 20 practices from maturity level 2. The CMMC-AB assumed that the majority of organizations would not try to achieve maturity level 2 certification as this level was an intermediate step. The removal of delta 20 practices better aligns the requirements of handling CUI with the guidelines found under NIST 800-171.

Change 2: Elimination of All Maturity Processes

There were a total of five maturity processes in CMMC 1.0 that included performed, documented, managed, reviewed and optimized. In version 2.0, all maturity processes are eliminated. This previous criteria was one of the main challenges in achieving certifications due to the level of effort involved and the lack of guidance provided.

Change 3: Assessments for OSCs

The new maturity level 1 will allow for self-assessments by organizations seeking certification (OSCs). Certified third-party assessor organizations (C3PAOs) will be tasked with assessing a subset of OSCs that wish to acquire maturity level 2. However, level 3 assessments will be conducted by C3PAOs and the government. The government is expected to lead the 800-172 aspect with C3PAOs responsible for the 800-171 portion of the assessment.

This joint type of third-party assessments will only apply to OSCs that handle contracts with information that has been deemed critical to national security. The impact of this change is fewer third-party assessments and an increase in self-assessments. CMMC 2.0 ensures that the majority of the DIB will not have to pay to undergo a third-party assessment.

Change 4: Inclusion of POA&Ms

Organizations were once able to use a Plan of Action and Milestones, or a POA&M, to remediate certain findings while continuing on their path to certification. This was not the case with CMMC 1.0. However, the updated CMMC 2.0 announced it would allow for the allowance of time-bound, enforceable POA&Ms in support of CMMC certification, except for a small subset.

The impact of this change is more flexibility for OSCs to pass a certification assessment without having to implement all required practices perfectly. The only requirement for OSCs is that they use POA&Ms based on guidelines that have not been fully released yet.

Change 5: Waivers May Be Permitted

Unlike the original framework, CMMC version 2.0 may allow waivers of certification in very limited circumstances. The roll-out of the program over five years intended for an increasing number of contracts to have the DFARS clause. However, before an OSC could be awarded a contract with a CMMC DFARS clause, they would first need certification.

The impact of this change is a limited basis for mission-critical instances. With a waiver, an OSC would be excluded from CMMC 2.0 requirements. The DoD has expressed senior leadership reserves the right to grant waivers for mission-critical instances. Specifics are forthcoming and will be implemented as part of the rulemaking process.

Change 6: CMMC-AB Will Be an Accreditation Body

Under CMMC 2.0, the CMMC-AB continues to be the accreditation body for CMMC assessors, C3PAOs and CMMC Assessor Instructor Certification Organizations (CAICOs). However, the AB must first acquire compliance with the ISO/IEC 17011:2017 standard to accredit conformity assessment bodies, which are the C3PAOs. C3PAOs are required to comply with the Conformity assessment for inspection bodies, ISO/IEC 17020:2012.

Request a Consultation with the Experts at Vaultes

One of the most common questions regarding CMMC 2.0 is who needs this certification? Unlike CMMC version 1.0 which required all DoD contractors to have third-party assessments to meet compliance, version 2.0 assessment requirements are clearer and more simplified. Requirements are mostly based on the type of information that a DIB organization works with and how critical it is to national security.

Defense contractors who are interested in getting started with CMMC compliance should start by becoming familiar with the 110 controls in NIST 800-171. Preparation to meet these controls can be a lengthy process that varies greatly based on your current cybersecurity posture. For more information about the requirements for the three CMMC 2.0 levels, or how to prepare, contact the cybersecurity consultants at Vaultes online or over the phone at 202.868.8850.

Concerning changes in the cybersecurity landscape have put immense pressure on agencies to evaluate their security policies. Government contractors are highly vulnerable to cyberattacks as hackers aim to steal sensitive information and disrupt the delivery of public goods and services, as well as aiming to compromise the mission of the warfighter. The development of the Cybersecurity Maturity Model Certification (CMMC) aims to reduce these concerns by creating a standard for implementing cybersecurity practices in the Defense Industrial Base (DIB).

CMMC version 1.0 was released by the U.S. Department of Defense (DoD) on January 31, 2020. On November 4, 2021, the DoD announced that several changes have been made to the CMMC program. A new version of the program, known as CMMC 2.0, is a result of the DoD’s internal review of the program since its initial release, along with a review of more than 850 public comments.

DoD contractors working toward obtaining CMMC version 1.0 certification should also familiarize themselves with CMMC 2.0 changes. Learn more about the CMMC program and how changes in version 2.0 will impact cybersecurity requirements for contractors.

What Is Cybersecurity Maturity Model Certification?

The CMMC is a program initiated by the DoD to measure the capabilities, sophistication and readiness of its defense contractors’ cybersecurity. The CMMC framework refers to a group of processes and inputs from established cybersecurity standards, such as FAR, NIST and DFARS, and has a primary objective of improving the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

More than 300,000 companies currently exist in the DIB supply chain. CMMC was created in response to the substantial compromises of sensitive information found on the systems or networks of contractors. The certification applies to “prime” contractors who directly engage with the DoD, as well as subcontractors whose contracts with primes result in the fulfillment of contracts. In the coming years, new contracts will be issued with requirements at all levels of the maturity model.

The CMMC version 1.0 framework consists of five levels of preparedness, ranging from the lowest level (level 1) to the most advanced level (level 5). Here is a summary of these levels and what they include:

CMMC 1.0 Level 1

Level 1 of CMMC requires contractors to perform “basic cyber hygiene” practices, such as ensuring that employees frequently change their passwords or implementing antivirus software on office computers. Level 1 compliance requires contractors to protect FCI, or information not intended for public release. Process maturity is not assessed at Level 1 as organizations may only perform these practices when deemed necessary and may not have documentation.

CMMC 1.0 Level 2

Level 2 requires contractors to perform “intermediate cyber hygiene” practices. This level serves as a progression from Level 1 to Level 3 and includes a subset of security requirements that are specified in NIST SP 800-171, as well as other standards and practices. Since Level 2 is a transitional stage, some practices reference the protection of CUI.

CMMC 1.0 Level 3

Level 3 requires contractors to perform “good cyber hygiene” practices. Contracts that wish to establish Level 3 certification must create, maintain and resource a plan that demonstrates the management of activities for the implementation of practices. This plan may include details about goals, missions, resources, project plans, training and possible involvement of stakeholders.

CMMC 1.0 Level 4

Level 4 requires contractors to review and measure “proactive” practices for effectiveness. Organizations that reach this level can take corrective action when needed and inform management of problems that develop on a recurring basis. A company must have implemented practices for measuring the effectiveness of procedures in relation to advanced persistent threats (APTs).

CMMC 1.0 Level 5

Level 5 requires contractors to perform “advanced or proactive” practices to optimize implementation across the organization. This level focuses heavily on the protection of CUI from APTs. It includes additional practices that enhance the sophistication and depth of the business’s cybersecurity capabilities.

What Is CMMC 2.0 And What Does It Mean For Contractors?

The Cybersecurity Maturity Model Certification is a new requirement for DoD contractors. The maturity model was meant to replace the self-attestation model of the past and move to a third-party certification process. CMMC 2.0’s overhaul called for a hybrid approach meaning some contractors will self-attest while others that process, transmit, or store more sensitive information, will require a Certified Third-Party Assessment Organization (C3PAO) to verify the contractors’ cyber hygiene is commensurate with the associated risk. The CMMC 2.0’s new requirements were designed to help reach the main goals of the internal review. These goals include the following:

• Gain public trust by maintaining a high degree of professionalism and ethical standards
• Safeguard sensitive information to protect the warfighter
• Install a collaborative culture of cyber resilience and security
• Enhance DIB security to guard against evolving cyber threats
• Create accountability while helping to minimize barriers to compliance with DoD requirements

While CMMC 2.0 has been published, not all companies will have to comply with CMMC 2.0 right away. The Interim DFARS rule has developed a phase-in-period over five years in which CMMC compliance is only necessary for certain pilot contracts. Only once CMMC 2.0 has been codified through rulemaking will contractors be required to adhere to the revised framework.

There are several reasons why changes were made to the original CMMC framework. The DoD received more than 850 public comments from Congress, the industry and stakeholders in response to the interim rule. Many of these comments focused on the need to enhance certification by reducing costs, increasing trust in the assessment ecosystem, and aligning cybersecurity requirements to other federal standards and requirements.

Once CMMC 2.0 has been implemented, the DoD will specify what CMMC level organizations will need to meet for a contract. Self-assessments, associated with CMMC Levels 1 and 2, will be required on an annual basis. Government-led and third-party assessments, associated with some CMMC Level 2 and all of Level 3, will be required on a triennial basis. CMMC assessments will be accepted only by accredited and authorized C3PAOs or certified CMMC accessors.

The cost of CMMC certification is based on a variety of factors, such as the CMMC level that the business is striving for, the complexity of the business’s unclassified network and various market forces. A new cost estimate for CMMC 2.0 will be developed by the DoD to account for all changes made to the program.

What Are The Differences Between CMMC 1.0 And 2.0?

The DoD has announced several changes to CMMC 1.0 that aim to streamline the model, provide a more flexible implementation and reduce assessment costs. Some notable differences seen in CMMC 2.0 include:

• The number of assessment levels is reduced from 5 to 3
• Oversight of third-party assessors is increased
• The number of required security practices is reduced
• Self-assessment is available at Levels 1 and 2 if the contractor does not handle “critical national security information”
• Required practices align with cybersecurity standards issued by NIST
• Timeline for compliance is altered and estimated to be between 9 and 24 months
• Plans of Actions & Milestones (POA&Ms) and waivers are allowed under certain conditions

With CMMC 2.0, contractors will be permitted to enter contracts with a POA&M to complete CMMC requirements. Contractors must meet a number of mandatory controls to be awarded a contract, with possible additional goals that would need to be completed within a specified timeframe.

As noted above, CMMC 2.0 contains just three levels compared to the five found in version 1.0. These levels include the following:

CMMC 2.0 Level 1

Level 1 of CMMC 2.0 will include the same 17 controls found in version 1.0 Level 1, which includes a limited subset of NIST 800-171. This only applies to businesses that handle FCI. CMMC 2.0 Level 1 is considered a foundation level and an opportunity for contractors to develop and strengthen their cybersecurity posture. Level 1 of CMMC 2.0 is achievable via self-assessment.

CMMC 2.0 Level 2

Level 2 of CMMC 2.0 consists of the 110 controls of NIST 800-171. This level will be divided based on the sensitivity of the information stored by the contractor. Contractors that are deemed to store CUI identified as “Critical National Security Information” will be required to have a third-party assessment every three years. For some contractors, an annual self-assessment may be sufficient.

CMMC 2.0 Level 3

The third and final level of CMMC 2.0 is still under development. However, it is believed that this level will contain more than 110 practices based on NIST 800-171. One of the biggest differences between CMMC 1.0 and CMMC 2.0 is that assessments at Level 3 are government-led. It is currently unclear whether this will be a joint effort between the government and a C3PAO, or solely the government.

What Should Defense Contractors Do To Prepare?

The DoD has not yet finalized rulemaking concerning CMMC 2.0; however, there are some things that defense contractors can do to prepare for certification. First, identify what CMMC level will need to be reached based on the type of data that the business handles. At a minimum, all defense contractors must meet the requirements of Level 1. Contractors that handle Controlled Unclassified Information will need to certify at Level 2 and if a business handles highly sensitive CUI, they will need to certify at Level 3.

To become certified, a business must prove that they have implemented the required practices. One way to gauge compliance is by conducting a gap analysis. A CMMC gap analysis or assessment occurs when a business identifies all current CMMC practices and processes and then compares them to the practices and processes required to optimize performance or meet compliance requirements.

Request A Consultation With The Experts At Vaultes

While the CMMC 2.0 is designed to simplify and lessen the requirements in both expectations and scope, becoming certified is still no easy feat. Defense contractors must familiarize themselves with CMMC requirements and their current IT environment to determine what steps they need to take to reach certification. For more information about CMMC 2.0, or to schedule a consultation with an experienced cyber security consulting firm headquartered in the Washington D.C. metro area, contact the experts at Vaultes.