CMMC Explained: What Defense Contractors Need To Know Now

Beginning in 2021, a small subset of US Government suppliers will be required to comply with and undergo a Cybersecurity Maturity Model Certification (CMMC) audit.  The number of suppliers will rapidly increase until all US Government suppliers will be subject to a CMMC audit beginning in 2026.  It is likely that you will begin seeing CMMC-level audit requirements in requests for proposals (RFPs) that are issued after 2021.

As noted on the Office of the Undersecretary of Defense for Acquisition and Sustainment website, the Cybersecurity Maturity Model Certification (CMMC) framework was created to supplement existing regulation (DFARS 252.204-7012) that is based on trust (i.e., currently a self-assessment) by adding a verification component with respect to cybersecurity requirements.  The CMMC framework also expands on the controls expected to be in place and documented (if a supplier is required to conform with a Certification Level above 1, the controls must be documented).  

The Cybersecurity Maturity Model Certification – Accreditation Body’s (CMMC-AB) mission is to support the CMMC-AB Ecosystem whose primary goal is “Securing Our Nation’s Supply Chain”.  The United States Department of Defense (DOD) created and manages the Cybersecurity Maturity Model itself.  The up-to-date model for each certification-level can be found here:  As you’ll quickly see when you look at the framework, there are different Certificate “levels” based on the sensitivity of the data that you, as a defense contractor, hold.  Levels 1 through 3 are well defined as of the publishing of this article.  Level 1 is required for all suppliers as it is relevant to any organization seeking certification (OSC) that holds “Federal Contract Information” (FCI).  Thus, if you have a contract with the federal government, you hold FCI.  This requirement will likely roll down the proverbial hill and be applied to subcontractors, as well.  An example given during the Registered Practitioner training hits home just how many businesses will be impacted.  The training covered a government-contracted food supplier noting that bad actors would gain intelligence based on the volume of food being ordered from week to week by different facilities.  Even Level 1 providers must undergo a certification audit by authorized and accredited C3PAO firms, but there are currently only 17 controls (or “practices”) within 5 CMMC framework domains in scope for a Level 1 certificate.  

Level 2 certification requires implementation and functioning of 72 controls (practices) within 15 of the 17 domains as well as 2 processes around documentation requirements.  In layman’s terms, Level 1 requires you to implement and be tested on 17 controls, but they do not have to be documented.  Level 2 certification also requires policies and procedures documenting how the controls are implemented, who is executing, execution frequency, etc.  

Level 3 is required when “Controlled Unclassified Information” (CUI) is government-created or possessed by you as a contractor or is created by you on behalf of the Government.  For Level 3, the C3PAO must validate the implementation and operating effectiveness of 130 controls and 1 process that covers all 17 CMMC control families.  The process element requires the policies and procedures, above, as well as adequate evidence to show support around your information security function and plan including allocation of resources to it.  If you are already familiar with the NIST 800-171 rev.1 Guidance for handling of CUI, just note that it is all 110 controls/practices plus 20 additional practices to total the 130 in-scope controls.

If you currently handle Federal Contract Information or Controlled Unclassified Information or you are reviewing RFPs that require handling of FCI or CUI, please reach out to us for a free consultation at [email protected] or 800-741-2050.  Audit Liaison is already a Registered Provider Organization and our people are already Registered Practitioners.  More importantly, we have been working with the NIST 800-53 framework from which the CMMC framework was built for over 11 years as an organization and some of our team has been applying the NIST 800-53 controls for over 20 years.  The number of “security consultants” has multiplied exponentially with the DOD’s announcement.  Choose an organization that built its name by making it as easy as possible for customers to implement information security frameworks across industries and standards for over a decade while always providing our services at as reasonable a cost as possible.  Call us to find out why our clients call us the Rosetta Stone of information security.