CMMC Compliance Checklist For 2024

In today’s increasingly interconnected era, global threats and adversaries continue to assault the Department of Defense (DoD) and Defense Industrial Base (DIB) ecosystem. To meet these increasingly frequent and complex cyber attacks, the Department of Defense (DoD) is enhancing the protection of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB through the deployment of the Cybersecurity Maturity Model Certification (CMMC).

In this blog, we’ll explore CMMC’s significance, the certification process for businesses, and more, including:

• Understanding CMMC compliance
• The evolution of CMMC
• Who needs to comply with CMMC
• The importance of CMMC compliance
• The CMMC compliance levels
• Key elements of CMMC compliance
• Preparing for a CMMC assessment
• The role of the Registered Practitioner Organization (RPO) and CMMC Third Party Assessment Organization (C3PAO) in CMMC compliance
• Certification and maintenance of CMMC compliance

Understanding CMMC Compliance

CMMC, is a certification and compliance framework established by the Department of Defense (DoD). It was first announced on September 4th, 2019, and is aimed at ensuring that contractors have the appropriate security controls in place to safeguard federal contract information and controlled unclassified information.

CMMC provides clarity regarding the required security levels for different contractor-government engagements. Compliance levels vary based on the sensitivity of the information and associated risks, with certifications ranging from basic to advanced maturity levels.

CMMC compliance is achieved when a contractor implements all security measures prescribed by the CMMC based on their level of information access.

The Evolution Of CMMC

With the need for increased cybersecurity, the DoD decided to move from a “self-proclamation” security model to something more advanced. However, DoD recognized that the government could not realistically perform assessments on the 220,000+ DIB companies that handle Controlled Unclassified Information (CUI).

To address this challenge, CMMC was announced in 2019 to provide the DoD with a verification mechanism to ensure contractors have implemented security requirements prior to being awarded a contract and to ensure continued compliance during performance.

Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), the program aimed to safeguard the Defense Industrial Base (DIB) sector from evolving cybersecurity threats.

In September 2020, the DoD introduced an interim rule, DFARS Case 2019–D041, as an implementation of the DoD’s initial vision for the CMMC Program (“CMMC 1.0”).

After receiving feedback in the form of public comments, in March 2021, the DoD initiated an internal review of  CMMC 1.0 and in November 2021 it announced CMMC 2.0, the updated program designed to achieve the primary goals of the internal review:

• Safeguard sensitive information to enable and protect the warfighter
• Enforce DIB cybersecurity standards to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Perpetuate a collaborative culture of cybersecurity and cyber resilience
• Maintain public trust through high professional and ethical standards

CMMC 1.0 Vs CMMC 2.0

The restructured CMMC program (CMMC 2.0) is a substantial improvement over CMMC 1.0, primarily in the way it responds to public concerns. It maintains the original goal of safeguarding sensitive info but does so in a manner that reduces costs for small businesses and aligns with the existing cybersecurity requirements.

Key aspects of the updated model include:

• Reduces complexity through the elimination of two transitional levels, streamlining the model from five to three tiers.
• Eliminates CMMC unique security requirements and process maturity elements; The resurrected model now directly aligns with existing Federal Acquisition Regulation (FAR) 52.204-21, NIST SP 800-171 Rev 2, and NIST SP 800-172 requirements.
• Adds flexibility through the introduction of industry Plan of Action & Milestones (POA&Ms) and DoD requirement waivers.
• Reduces costs by allowing annual self-assessments with an annual affirmation by company leadership.
• Reduces costs for Level 2 by allowing a subset of companies to demonstrate compliance through self-assessment rather than C3PAO assessment.
• Applying Level 3 to a small subset of DoD programs that require protection against the most capable adversaries.
• Eliminates duplication through explicit acceptance of their standards.

The current CMMC model incorporates contractor self-assessment in certain scenarios, the use of Plans of Action and Milestones (POA&M), and flexibility for government program offices to pursue waivers for CMMC compliance requirements.

In addition, CMMC adds a requirement for senior official affirmations at each level. The senior official who is responsible for ensuring the DIB company’s compliance with CMMC must submit an annual affirmation to the Supplier Performance Risk System (SPRS). These affirmations convey that the organization seeking assessment (OSA) has implemented and will maintain all applicable CMMC security requirements for the information systems within the relevant assessment scope at the applicable CMMC level.

As of November 2023, the regulatory review process of the CMMC rule was complete, clearing the way for its publication.

DoD published CMMC 2.0 as a proposed rule on December 26, 2023, with a standard 60-day public comment period that ended on February 26, 2024.

The CMMC program is anticipated to become effective and begin the implementation phase as early as Q1 2025. The DoD plans a phased roll-out with the expectation that all relevant contracts will include CMMC requirements by 2028. This phased approach gives contractors time to comply.

Who Needs to Comply with CMMC?

The CMMC rule applies to all entities within the Defense Industrial Base (DIB) Sector that are already contracted by the Department of Defense (DoD) or intend to compete for contracts. This includes a wide range of companies, from prime contractors to subcontractors and suppliers.

It is paramount that the DoD ensures their industrial parents are compliant with CMMC in order to protect sensitive information and the overall security of the defense supply chain.

The Importance Of CMMC Compliance

CMMC will be required for the DIB sector to compete and win contracts. While simply competing and sustaining contracts is essential for many businesses, the DoD is focused on the protection of the DIB, its systems and data, and most crucially, the warfighters. Data breaches, cyberattacks, and disruption to the DIB ultimately impacts the safety and effectiveness of our warfighters and remains the paramount consideration for CMMC.

The CMMC Compliance Levels

CMMC 2.0 is a more streamlined version composed of three levels of security controls. Requirements for the three levels of CMMC compliance certification include:

Level 1: Foundational

The CMMC Level 1 applies to companies that handle federal contract info (FCI) only. This is data that is not critical to national security and no outside assessment is required.

CMMC Level 1 Self-Assessment

CMMC Level 1 Self-Assessment requires compliance with basic safeguarding requirements to protect  FCI are set forth in FAR clause 52.204–21. CMMC Level 1 does not add any additional security requirements to those identified in FAR 52.204–21.

Organizations Seeking Assessment (OSAs) will submit the following information in SPRS prior to award of any prime contract or subcontract and annually thereafter:

• The results of a self-assessment of the OSA’s implementation of the basic safeguarding requirements set forth in 32 CFR 170.15 associated with the contractor information system(s) used in the performance of the contract.
• An initial affirmation of compliance, and then annually thereafter, an affirmation of continued compliance as set forth in 32 CFR 170.22.
• The Level 1 Self-Assessment cost burden will be addressed as part of the 48 CFR acquisition rule.

Level 2: Advanced

CMMC Level 2 is for organizations working with Controlled Unclassified Information (CUI).

CMMC Level 2 Self-Assessment

CMMC Level 2 Self-Assessment requires compliance with the security requirements set forth in NIST SP 800– 171 Rev 2 to protect CUI. CMMC Level 2 does not add any additional security requirements to those identified in NIST SP 800–171 Rev 2.

OSAs will submit the following information in SPRS prior to award of any prime contract or subcontract:

• The results of a self-assessment of the OSA’s implementation of the NIST SP 800–171 Rev 2 requirements set forth in 32 CFR 170.16 associated with the covered contractor information system(s) used in performance of the applicable contract.
• An initial affirmation of compliance, and, if applicable, a POA&M closeout affirmation, and then annually thereafter, an affirmation of continued compliance set forth in 32 CFR 170.22.
• The Level 2 Self-Assessment cost burden will be addressed as part of the 48 CFR acquisition rule.

CMMC Level 2 Certification

CMMC Level 2 Certification requires compliance with the security requirements set forth in 32 CFR 170.17 to protect CUI. CMMC Level 2 does not add any additional security requirements to those identified in NIST SP 800–171 Rev 2.

A CMMC Level 2 Certification Assessment of the applicable contractor information system(s) provided by an authorized or accredited C3PAO is required to validate implementation of the NIST SP 800–171 Rev 2 security requirements prior to award of any prime contract or subcontract and exercise of option.

The C3PAO will upload the CMMC Level 2 results in eMASS which will feed the information into SPRS. Organizations Seeking Certification (OSCs) will submit in SPRS an initial affirmation of compliance, and, if necessary, a POA&M closeout affirmation, and then annually thereafter, an affirmation of continued compliance as set forth in 32 CFR 170.22.

The Level 2 Certification Assessment cost burdens are included in this part with the exception of the requirement for the OSC to upload the affirmation in SPRS that is included in the Title 48 acquisition rule and an update to DFARS collection approved under OMB Control Number 0750–0004, Assessing Contractor Implementation of Cybersecurity Requirements. Additionally, the information collection reporting requirements for the CMMC instantiation of eMASS are included in a separate ICR for this part and cover only those requirements pertaining to the CMMC process.

Level 3: Expert

This level is focused on reducing the risk from advanced persistent threats. It is not necessarily based on a specific type of information, but rather on how critical the program is. For example, a contractor working on an aircraft carrier program since the program is considered highly critical.

CMMC Level 3 Certification Assessment

CMMC Level 3 Certification Assessment requires a CMMC Level 2 Final Certification Assessment and compliance with the security requirements set forth in 32 CFR 170.18 to protect CUI. CMMC Level 3 adds additional security requirements to those required by existing acquisition regulations as specified in this rule.

A CMMC Level 3 Certification Assessment of the applicable contractor information system(s) provided by the DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is required to validate implementation of the DoD-defined selected security requirements set forth in NIST SP 800–172. A CMMC Level 2 Final Certification is a prerequisite to schedule a DIBCAC assessment for CMMC Level 3.

DCMA DIBCAC will upload the CMMC Level 3 results into the CMMC instantiation of eMASS, which will feed the information into SPRS. OSCs will submit in SPRS an initial affirmation of compliance, and, if necessary, a POA&M closeout affirmation, and then annually thereafter, an affirmation of continued compliance as set forth in 32 CFR 170.22.

The Level 3 Certification Assessment cost burdens are included in this part with the exception of the requirement for the OSC to upload the affirmation in SPRS that is included in the Title 48 acquisition rule and an update to DFARS collection approved under OMB Control Number 0750–0004, Assessing Contractor Implementation of Cybersecurity Requirements. Additionally, the information collection reporting requirements for the CMMC instantiation of eMASS are included in a separate ICR for this part and cover only those requirements pertaining to the CMMC process. As described, the CMMC Program couples an affirmation of compliance with certification assessment requirements to verify OSA implementation of cybersecurity requirements, as applicable.

Key Elements of CMMC Compliance

Including the following aspects are integral as organizations progress through CMMC compliance checklists:

Understanding CMMC Domains and Practices

CMMC specifies well-defined data security measures in various domains including access control, risk management, and recovery, among others.

CMMC program requirements will apply to prime contractors and to subcontractors at all tiers of the supply chain that will process or store FCI or CUI.

Phased Implementation: CMMC requirements will be implemented using a phased approach consisting of four phases. One reason for using phased implementation is to ensure adequate availability of authorized or accredited C3PAOs and assessors to meet DoD’s demand.

Assessing the Appropriate CMMC Maturity Level for Your Organization

The CMMC scoring methodology is designed to provide an objective measurement of a contractor’s or subcontractor’s implementation of security requirements.

CMMC Maturity Level Scoring Methodology for Self-Assessments

CMMC Level 1: Score not required; either the requirements are MET or NOT MET.

CMMC Level 2: Security requirements are valued at 1, 3, or 5 points each, with a maximum overall score of 110. The point value of each requirement is reflective of the potential risk to DoD CUI.

Building a Plan of Action and Milestones (POA&M)

A Plan of Action and Milestones (POA&M) is a structured document that outlines specific actions an organization intends to take to address identified security weaknesses or deficiencies within its systems.

CMMC allows much more limited use of POA&Ms. POAMs are only material for a subset of controls and for a much more restricted time period. Our recommendation is to strive for the full 110 score and address any gaps prior to engaging the C3PAO.

• Level 1 does not allow for POA&Ms since all security requirements must be MET.
• Level 2 allows POA&Ms for select requirements.
• Level 3 allows POA&Ms for select requirements.

A POA&M must be closed and verified by a POA&M Closeout Assessment of the pending NOT MET requirements within 180 days of the initial assessment. Otherwise, the conditional certification will expire and normal contractual remedies will apply.

Developing a System Security Plan (SSP)

A System Security Plan (SSP) is a document that outlines the security requirements for an information system and the controls an organization implements to meet those requirements.

The DoD will review the SSP when deciding whether to authorize them to handle FCI and CUI on a non-federal-owned system. This review helps the DoD determine if it’s wise to pursue agreements or contracts with the non-federal organization.

At a minimum, an SSP must include:

• Description of the CMMC Assessment Scope.
• Environment of Operation: Description of the physical setting where the information system operates.
• Security Requirements: List of approved security measures derived from relevant laws, policies, and standards to ensure data confidentiality, integrity, and availability.
• Implementation Approach: Explanation of how these security requirements are applied within the system or environment.
• System Connections: Overview of connections to other systems and networks.
• Frequency Updates: Typically, updates should occur at least once a year.

What is an RPO and Identifying If You Need One

Determining whether your organization needs a Registered Practitioner Organization (RPO) in its journey toward CMMC compliance involves assessing the complexity of your operations and the level of expertise required.

An RPO can play a crucial role in guiding your organization through the intricacies of CMMC requirements, offering tailored strategies and insights to ensure successful implementation. With their specialized knowledge and experience, RPOs can help advise you and help you navigate the CMMC framework, assess your current cybersecurity posture, develop a roadmap for achieving compliance, and help advise your team along the way as you implement the plan. The goal of an RPO should always be to help you prepare your organization to pass the test that will be performed by the assessor, referred to as the C3PAO.

Selecting a CMMC Third Party Assessor Organization (C3PAO)

When selecting a C3PAO, two critical factors come into play: affordability and expertise. This is especially important for small and medium enterprises. While some organizations may be certified to be an RPO and a C3PAO, you will need two different organizations to perform these tasks as it is considered a conflict of interest to have an organization be your RPO advisor and your C3PAO assessor.

Setting a Timeline for CMMC Compliance

The objective timeline for implementing contractor compliance with CMMC requirements has been and remains fiscal year 2025. The anticipated rollout comprises four phases spanning a total of 30 months, aiming for completion by mid-2027.

For many companies in the defense industrial base, the transition to being assessment-ready for CMMC requirements can take 12–18 months. Each organization should set a timeline for their compliance journey, ensuring they are ready by the time their desired CMMC compliance level is fully implemented.

Allocating Resources for CMMC Compliance

The journey to CMMC compliance can be costly in terms of personnel, money, time, and effort. Companies should create well-defined budgets and plans of action to achieve desired levels of security compliance.

Also, keep in mind that CMMC certification needs periodic renewal.

Preparing for a CMMC Assessment

Ensuring alignment with the existing DFARS clauses is a crucial initial step in preparing for CMMC 2.0, even before considering the implications of the final rule-making process.

According to the DoD, the two most important clauses for CMMC implementation are DFARS 252.204-7012 and DFARS 252.204-7021.

To maximize your chances for successful certification, start by familiarizing yourself and complying with these standards in reference to the CMMC checklist of requirements.

The Role of Industry Advisors in CMMC Compliance

Earlier, we discussed how RPOs assist in selecting assessment partners, but their role goes beyond matchmaking.

RPOs can play a pivotal role in shaping your overall security compliance strategy. With their expert staff and deep understanding of regulatory requirements, RPOs can do everything from advising on infrastructure enhancements to conducting negotiations on your behalf.

To start your CMMC journey, consult an industry advisor for a gap assessment and compliance roadmap, among other CMMC compliance services.

Certification and Maintenance of CMMC Compliance

The CMMC program requires contractors to achieve the CMMC Level specified in DoD solicitation by the time of award and maintain their CMMC assessment status throughout the contract performance period.

As discussed above, companies can attain CMMC compliance through self-assessment, C3PAO assessment, or assessment by government agents. Once certified, reassessment is to be done yearly or every three years depending on your CMMC level.

Maintaining your status will entail monitoring, maintaining, and updating various components of your system security plan, such as threat detection and incident response.

Hartman Executive Advisors

In order to remain competitive, DIB companies must take strategic steps towards CMMC compliance. Failure to do so could result in the risk of losing contracts to competitors.

Hartman Executive Advisors is an RPO and an expert on all matters of government contracting, specifically CMMC compliance. Contact us today to find out how we can help your business prepare to achieve CMMC compliance.