‍TL;DR

• CMMC enforces mandatory cybersecurity requirements for DoD contractors.
• Compliance is required to bid on and retain Department of Defense contracts.
• CMMC uses tiered levels based on information sensitivity and risk.
• Level 1 protects FCI with basic cyber hygiene practices.
• Level 2 requires 110 NIST 800-171 controls to secure CUI.
• Level 3 demands advanced threat protection measures.
• Failing compliance loses eligibility for DoD contracts.

What is CMMC compliance?

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense to enhance cybersecurity standards across the defense industrial base. It was created to protect sensitive government information, particularly Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats. The model establishes mandatory cybersecurity requirements that defense contractors must meet to qualify for DoD contracts.

Implementation of CMMC requires third-party access assessments conducted by certified CMMC assessors to verify compliance with the appropriate maturity level. Organizations must achieve and maintain their required certification level to remain eligible for relevant DoD contracts. This represents a significant shift from the previous self-attestation model to a more rigorous, verified approach to cybersecurity in the defense supply chain.

Three maturity levels of CMMC

CMMC operates on a tiered system with three maturity levels, each building upon the previous one with increasingly sophisticated cybersecurity practices and processes. 

• Level 1 focuses on basic cyber hygiene for protecting FCI,
• Level 2 addresses intermediate practices for safeguarding CUI, and 
• Level 3 implements advanced procedures for protecting the most sensitive information. 

Each level requires specific security controls, processes, and organizational maturity to demonstrate adequate protection capabilities.

CMMC compliance overview

Assessment and Preparation

Begin by conducting a comprehensive gap analysis to identify which CMMC level your organization needs to achieve based on the type of information handled. 

Organizations must also determine their assessment scope, which defines the boundaries of systems and networks that process, store, or transmit DoD information.

Implementation of Security Controls

Systematically implement the required security controls for your target CMMC level, ensuring all technical, operational, and administrative safeguards are properly configured and documented. This includes establishing access controls, implementing encryption, deploying security monitoring systems, and creating incident response procedures. Organizations must also develop comprehensive policies and procedures that align with the specific requirements of their CMMC level. All security controls must be consistently applied across the defined assessment scope and integrated into daily operations.

Assessment and Certification

Choose the appropriate assessment type based on your CMMC level and contract requirements. 

The assessment validates that all required security controls are properly implemented and effective. Organizations may develop Plans of Action and Milestones (POA&Ms) for certain non-critical deficiencies, but these must be resolved within 180 days.

Continuous Compliance and Maintenance

Establish ongoing monitoring and maintenance processes to ensure continuous compliance with CMMC requirements throughout the contract period. This includes conducting annual affirmations in the Supplier Performance Risk System (SPRS), maintaining documentation of security controls, and implementing change management procedures. Organizations must also prepare for periodic reassessments every three years and ensure that any system changes or updates maintain compliance with the established CMMC level requirements.

CMMC compliance checklist:

Step 1: Conduct a gap analysis

Compare your current cybersecurity posture against NIST SP 800-171 requirements to identify missing security controls for your required tier.

• Level 1 applies to basic Federal Contract Information (FCI) and requires implementation of 15 security requirements from FAR clause 52.204-21. 
• Level 2 addresses Controlled Unclassified Information (CUI) and requires 110 security requirements from NIST SP 800-171 Rev 2. 
• Level 3 provides higher-level protection against advanced persistent threats and adds 24 requirements from NIST SP 800-172. 

Example: A defense contractor reviews their current cybersecurity posture against NIST SP 800-171 requirements and identifies that they lack proper access controls for CUI, missing 15 out of 110 required security controls for Level 2 compliance.

Step 2: Define assessment scope boundaries

Document precisely which networks process CUI and segment them from separate administrative networks to reduce overall audit scope.

Example: A manufacturing company clearly documents that their assessment scope includes the engineering network where they process technical drawings marked as CUI, but excludes their separate administrative network used only for payroll and HR functions.

Step 3: Implement required security controls

Install multi-factor authentication, encrypt all CUI data at rest and in transit, and establish network segmentation to isolate processing environments.

Example: An aerospace subcontractor installs multi-factor authentication for all users accessing CUI systems, encrypts all CUI data at rest and in transit, and establishes network segmentation to isolate CUI processing environments from general business systems.

Step 4: Develop comprehensive documentation

Create detailed system security plans, incident response procedures, and access control policies that specifically address how you handle DoD contract information.

Example: A software development firm creates detailed system security plans, incident response procedures, and access control policies that specifically address how they handle DoD contract information, including step-by-step procedures for CUI marking and handling.

Step 5: Complete the appropriate assessment

Conduct an annual self-assessment for FCI, or engage a C3PAO to perform a comprehensive third-party access assessment of your security controls for CUI.

• Level 1 requires annual self-assessments, 
• Level 2 allows either self-assessments or third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs), and 
• Level 3 mandates assessments by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

Example: A small contractor handling only FCI conducts an annual self-assessment using the 15 FAR requirements, while a larger prime contractor processing CUI engages a C3PAO to perform a comprehensive third-party assessment of their 110 NIST SP 800-171 controls.

Step 6: Address deficiencies through POA&Ms

Develop a Plan of Action and Milestones to resolve missing non-critical security controls, noting that you can't include critical access control deficiencies as they must be resolved before contract award.

Example: A defense contractor develops a Plan of Action and Milestones to address missing security awareness training within 90 days, but cannot include critical access control deficiencies in their POA&M as these must be resolved before contract award.

Step 7: Submit results to SPRS

Enter your assessment results into the Supplier Performance Risk System, ensuring all requirements are met or addressed in an approved POA&M with the remaining two requirements clearly scheduled for remediation.

Example: After completing their Level 2 self-assessment, a contractor enters their assessment results into the Supplier Performance Risk System, showing a score of 98 out of 110 requirements met, with the remaining 2 requirements addressed in an approved POA&M.

Step 8: Establish continuous monitoring processes

Implement automated vulnerability scanning, conduct quarterly security control reviews, and maintain an incident response team to ensure ongoing compliance.

Example: A defense contractor implements automated vulnerability scanning, conducts quarterly security control reviews, and maintains an incident response team that monitors their CUI processing systems 24/7 to ensure ongoing compliance between formal assessments.

Common challenges

Organizations face significant challenges in achieving CMMC compliance due to the complex, tiered structure of the program and its integration with existing cybersecurity frameworks. The program requires different levels of assessment depending on the type of information handled, with Level 1 requiring basic safeguarding of Federal Contract Information (FCI), Level 2 focusing on broad protection of Controlled Unclassified Information (CUI), and Level 3 demanding higher-level protection against advanced persistent threats. This complexity is compounded by the need to align with multiple existing standards, including NIST SP 800-171 for Level 2 (110 requirements) and NIST SP 800-172 for Level 3 (24 additional requirements), while maintaining compliance with FAR clauses and DFARS requirements.

The implementation timeline and assessment requirements create additional organizational burdens, particularly as the program transitions from self-attestation to verified compliance through various assessment mechanisms. Companies must navigate different assessment types, from self-assessments to third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs) for Level 2, and government-led assessments by DIBCAC for Level 3. The requirement for continuous compliance monitoring through annual affirmations, coupled with the three-year assessment cycles and the potential for assessment status to lapse upon failure to annually affirm, creates ongoing administrative and operational challenges.

Resource allocation and remediation planning present substantial challenges, particularly given the restrictions on Plans of Action and Milestones (POA&Ms) and the tight timelines for addressing deficiencies. While Level 2 and 3 allow limited use of POA&Ms, Level 1 permits no remediation plans, and even when allowed, POA&Ms must be closed out within 180 days or the conditional CMMC status expires. Organizations must also ensure compliance flows down to subcontractors at all tiers, expanding the scope of oversight and coordination required while maintaining the same stringent timelines and requirements throughout their supply chain.

Reducing audit cost and complexity for CMMC with an Enterprise Browser

For any size organization supporting DOD contracts and subcontracts, bid compliance is a must. With the Island Enterprise Browser, businesses can simplify achieving CMMC requirements and ensure bid compliance while maintaining security and productivity — directly through the browser. By creating secure application boundaries and embedding robust controls, Island ensures information stays within NIST 800-171 compliant storage and use, reducing audit scope and risk.

FAQs about CMMC

How often do organizations need to conduct CMMC assessments?

Assessment frequency depends on the CMMC level. Level 1 requires annual self-assessments, Level 2 allows either self-assessments or third-party assessments by C3PAOs, and Level 3 mandates assessments by DIBCAC. All levels require reassessments every three years and annual affirmations in the Supplier Performance Risk System (SPRS).

What happens if an organization fails to maintain CMMC compliance?

Organizations that fail to maintain CMMC compliance lose their eligibility for relevant DoD contracts. Assessment status can lapse if organizations fail to complete annual affirmations in SPRS, and any POA&Ms that aren't resolved within 180 days will cause conditional CMMC status to expire.

Who is required to achieve CMMC compliance?

Any organization operating as a Department of Defense (DoD) contractor that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve CMMC compliance. 

What is the Supplier Performance Risk System (SPRS)?

The SPRS is an authoritative Department of Defense system used to house and track contractor performance and cybersecurity assessment scores. Organizations must submit their self-assessment results and complete annual compliance affirmations within this portal to maintain their eligibility for defense contracts.

Can subcontractors rely on a prime contractor's CMMC certification?

No, subcontractors cannot inherit a CMMC certification from their prime contractor and must independently undergo their own assessment process. Every organization within the defense supply chain is responsible for proving they meet the appropriate cybersecurity maturity level for the specific type of government data they handle.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is basic data provided by or generated for the government under a contract that requires foundational cybersecurity protection. Controlled Unclassified Information (CUI) is highly sensitive data  that requires much stricter, advanced safeguarding measures to prevent unauthorized disclosure.

‍