.svg)
CMMC
Learn about CMMC compliance requirements for DoD contractors with this comprehensive checklist covering the three maturity levels, implementation steps, assessment types, and common challenges in achieving Cybersecurity Maturity Model Certification.
CMMC compliance: A checklist
The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense to enhance cybersecurity standards across the defense industrial base. It was created to protect sensitive government information, particularly Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats. The model establishes mandatory cybersecurity requirements that defense contractors must meet to qualify for DoD contracts.
CMMC operates on a tiered system with three maturity levels, each building upon the previous one with increasingly sophisticated cybersecurity practices and processes. Level 1 focuses on basic cyber hygiene for protecting FCI, Level 2 addresses intermediate practices for safeguarding CUI, and Level 3 implements advanced procedures for protecting the most sensitive information. Each level requires specific security controls, processes, and organizational maturity to demonstrate adequate protection capabilities.
Implementation of CMMC requires third-party assessments conducted by certified CMMC assessors to verify compliance with the appropriate maturity level. Organizations must achieve and maintain their required certification level to remain eligible for relevant DoD contracts. This represents a significant shift from the previous self-attestation model to a more rigorous, verified approach to cybersecurity in the defense supply chain.
CMMC compliance steps
Assessment and Preparation: Begin by conducting a comprehensive gap analysis to identify which CMMC level your organization needs to achieve based on the type of information handled. Level 1 applies to basic Federal Contract Information (FCI) and requires implementation of 15 security requirements from FAR clause 52.204-21. Level 2 addresses Controlled Unclassified Information (CUI) and requires 110 security requirements from NIST SP 800-171 Rev 2. Level 3 provides higher-level protection against advanced persistent threats and adds 24 requirements from NIST SP 800-172. Organizations must also determine their assessment scope, which defines the boundaries of systems and networks that process, store, or transmit DoD information.
Implementation of Security Controls: Systematically implement the required security controls for your target CMMC level, ensuring all technical, operational, and administrative safeguards are properly configured and documented. This includes establishing access controls, implementing encryption, deploying security monitoring systems, and creating incident response procedures. Organizations must also develop comprehensive policies and procedures that align with the specific requirements of their CMMC level. All security controls must be consistently applied across the defined assessment scope and integrated into daily operations.
Assessment and Certification: Choose the appropriate assessment type based on your CMMC level and contract requirements. Level 1 requires annual self-assessments, Level 2 allows either self-assessments or third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs), and Level 3 mandates assessments by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The assessment validates that all required security controls are properly implemented and effective. Organizations may develop Plans of Action and Milestones (POA&Ms) for certain non-critical deficiencies, but these must be resolved within 180 days.
Continuous Compliance and Maintenance: Establish ongoing monitoring and maintenance processes to ensure continuous compliance with CMMC requirements throughout the contract period. This includes conducting annual affirmations in the Supplier Performance Risk System (SPRS), maintaining documentation of security controls, and implementing change management procedures. Organizations must also prepare for periodic reassessments every three years and ensure that any system changes or updates maintain compliance with the established CMMC level requirements.
CMMC compliance checklist:
- Conduct comprehensive gap analysis - Example: A defense contractor reviews their current cybersecurity posture against NIST SP 800-171 requirements and identifies that they lack proper access controls for CUI, missing 15 out of 110 required security controls for Level 2 compliance.
- Define assessment scope boundaries - Example: A manufacturing company clearly documents that their assessment scope includes the engineering network where they process technical drawings marked as CUI, but excludes their separate administrative network used only for payroll and HR functions.
- Implement required security controls - Example: An aerospace subcontractor installs multi-factor authentication for all users accessing CUI systems, encrypts all CUI data at rest and in transit, and establishes network segmentation to isolate CUI processing environments from general business systems.
- Develop comprehensive documentation - Example: A software development firm creates detailed system security plans, incident response procedures, and access control policies that specifically address how they handle DoD contract information, including step-by-step procedures for CUI marking and handling.
- Complete appropriate assessment type - Example: A small contractor handling only FCI conducts an annual self-assessment using the 15 FAR requirements, while a larger prime contractor processing CUI engages a C3PAO to perform a comprehensive third-party assessment of their 110 NIST SP 800-171 controls.
- Address deficiencies through POA&Ms - Example: A defense contractor develops a Plan of Action and Milestones to address missing security awareness training within 90 days, but cannot include critical access control deficiencies in their POA&M as these must be resolved before contract award.
- Submit results to SPRS - Example: After completing their Level 2 self-assessment, a contractor enters their assessment results into the Supplier Performance Risk System, showing a score of 98 out of 110 requirements met, with the remaining 2 requirements addressed in an approved POA&M.
- Establish continuous monitoring processes - Example: A defense contractor implements automated vulnerability scanning, conducts quarterly security control reviews, and maintains an incident response team that monitors their CUI processing systems 24/7 to ensure ongoing compliance between formal assessments.
Common challenges
Organizations face significant challenges in achieving CMMC compliance due to the complex, tiered structure of the program and its integration with existing cybersecurity frameworks. The program requires different levels of assessment depending on the type of information handled, with Level 1 requiring basic safeguarding of Federal Contract Information (FCI), Level 2 focusing on broad protection of Controlled Unclassified Information (CUI), and Level 3 demanding higher-level protection against advanced persistent threats. This complexity is compounded by the need to align with multiple existing standards, including NIST SP 800-171 for Level 2 (110 requirements) and NIST SP 800-172 for Level 3 (24 additional requirements), while maintaining compliance with FAR clauses and DFARS requirements.
The implementation timeline and assessment requirements create additional organizational burdens, particularly as the program transitions from self-attestation to verified compliance through various assessment mechanisms. Companies must navigate different assessment types, from self-assessments to third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs) for Level 2, and government-led assessments by DIBCAC for Level 3. The requirement for continuous compliance monitoring through annual affirmations, coupled with the three-year assessment cycles and the potential for assessment status to lapse upon failure to annually affirm, creates ongoing administrative and operational challenges.
Resource allocation and remediation planning present substantial challenges, particularly given the restrictions on Plans of Action and Milestones (POA&Ms) and the tight timelines for addressing deficiencies. While Level 2 and 3 allow limited use of POA&Ms, Level 1 permits no remediation plans, and even when allowed, POA&Ms must be closed out within 180 days or the conditional CMMC status expires. Organizations must also ensure compliance flows down to subcontractors at all tiers, expanding the scope of oversight and coordination required while maintaining the same stringent timelines and requirements throughout their supply chain.
Reducing audit cost and complexity for CMMC with an Enterprise Browser
For any size organization supporting DOD contracts and subcontracts, bid compliance is a must. With the Island Enterprise Browser, businesses can simplify achieving CMMC requirements and ensure bid compliance while maintaining security and productivity — directly through the browser. By creating secure application boundaries and embedding robust controls, Island ensures information stays within NIST 800-171 compliant storage and use, reducing audit scope and risk.
Frequently asked questions
Q: What are the three CMMC levels and what information do they protect?
A: CMMC has three maturity levels: Level 1 protects Federal Contract Information (FCI) with 15 basic security requirements from FAR clause 52.204-21; Level 2 protects Controlled Unclassified Information (CUI) with 110 security requirements from NIST SP 800-171 Rev 2; and Level 3 provides advanced protection against persistent threats with an additional 24 requirements from NIST SP 800-172.
Q: How often do organizations need to conduct CMMC assessments?
A: Assessment frequency depends on the CMMC level. Level 1 requires annual self-assessments, Level 2 allows either self-assessments or third-party assessments by C3PAOs, and Level 3 mandates assessments by DIBCAC. All levels require reassessments every three years and annual affirmations in the Supplier Performance Risk System (SPRS).
Q: What are Plans of Action and Milestones (POA&Ms) and when can they be used?
A: POA&Ms are remediation plans for addressing security control deficiencies. Level 1 permits no POA&Ms, while Levels 2 and 3 allow limited use for certain non-critical deficiencies. All POA&Ms must be resolved within 180 days or the conditional CMMC status expires.
Q: Who conducts CMMC assessments for each level?
A: Level 1 uses self-assessments conducted by the organization itself. Level 2 allows either self-assessments or third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs). Level 3 requires government-led assessments conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Q: What happens if an organization fails to maintain CMMC compliance?
A: Organizations that fail to maintain CMMC compliance lose their eligibility for relevant DoD contracts. Assessment status can lapse if organizations fail to complete annual affirmations in SPRS, and any POA&Ms that aren't resolved within 180 days will cause conditional CMMC status to expire.
.svg)
.svg)
