5 Things You Need to Know About CMMC and How it Builds on DFARS

5 Things You Need to Know About CMMC and How it Builds on DFARS

Cybercriminals have targeted and continue to target the Defense Industrial Base (DIB) sector, as well as the Department of Defense's (DoD) supply chain in the hopes of stealing vital intellectual property and sensitive information. The DIB sector is made up of more than 300,000 organizations that research, engineer, develop, acquire, produce, deliver, sustain, and operate military services, capabilities, installations, and networks. A cyberattack against the DoD supply chain can significantly undercut the United States' technical innovations and advantages, and compromise its national security.

This led the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to create the Cybersecurity Maturity Model Certification (CMMC) framework. This framework is a certification procedure designed to assure the DoD that DIB contractors are capable of protecting sensitive information such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

5 Things to Know About CMMC 2.0

1. ALL DoD contractors are required to be CMMC 2.0 compliant.

CMMC regulations state that all DoD contractors need to get a certification prior to bidding for a government project. The DoD decides the certification level of contractors based on the type of CUI they manage. The DoD also has minimum certification requirements in requests for information (RFI) that went into effect in 2020, along with selected requests for proposals (RFPs).

2. Self-certification is only an option for level 1 CMMC 2.0 certification.

Contractors are required to coordinate with an independent and accredited third-party certification organization when requesting and scheduling a CMMC 2.0 level two or three assessment. Self-assessment is only allowed for CMMC 2.0 level one certification, which limits contractors to only deal with Federal Contract Information (FCI). Contractors will need to specify the level of certification they need based on their business requirements. Those who show the appropriate organizational maturity and maturity in capabilities will receive their certification at the appropriate CMMC 2.0 level.

3. You need CMMC 2.0 level 2 certification to handle CUI

There are three CMMC 2.0 certification levels in the CMMC model used to measure cybersecurity maturity. They are:

  • Level 1 - Foundational
  • Level 2 - Advanced
  • Level 3 - Expert

In order for contractors to handle or generate CUI, they must have at least a level two certification. This means that contractors who acquire level two certification under the CMMC 2.0 framework are known to implement all of the NIST SP 800-171 security requirements, have good cyber hygiene to meet most cyber threats, and are able to keep CUI secure.

4. CMMC 2.0 does not end DFARS

When the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS) for contractors, there was some confusion which led to its slow adoption. This led the DoD to create the CMMC 1.0 model to help contractors build strong and efficient cybersecurity standards.

However, the release of CMMC 1.0 did not end DFARS. In fact, every DoD contractor that stores, processes, and transmits CUI runs the risk of losing their contracts if they fail to comply with the minimum security requirements of DFARS. To be considered DFARS-compliant, a contractor needs to fulfill the requirements of NIST SP 800-171, which involves 110 controls. The CMMC 2.0 level two certification essentially mirrors all DFARS requirements. And thus, DFARS-compliant contractors are already prepared to become CMMC 2.0 level two compliant. 

5. Preparation for a CMMC 2.0 audit can take as long as 6 months

The CMMC accreditation board is responsible for training CMMC auditors, referred to as certified third-party assessment organizations (C3PAO), to perform the audits and ensure contractors meet all the required cybersecurity controls needed for a specific level. It's their recommendation to start preparing early; 6 months early, in fact. 

Whether you have an in-house IT and cybersecurity team or you're looking to outsource to a CMMC 2.0 consultant, we recommend following these five steps:

  1. Use existing guidelines to review your current cybersecurity maturity.
  2. Identify the gaps in your security protocol and determine what needs to be strengthened or improved. 
  3. Assess your business's ability to fill in the gaps.
  4. Create a plan that will be sustainable in the long term. 

Learn more about CMMC

Compliance with NIST SP 800-171 can be a grueling task for small businesses. CMMC is a cost-effective solution to achieve the minimum Level 1 requirement. Find out more by click the button below.

Show Me How


Charles IT's gap assessment will identify gaps in a contractor's cybersecurity policies and create a strategy to remediate them so that they'll have no problems obtaining a CMMC 2.0 certification. Start your gap assessment now!

Editor's Note: This blog was originally published on January 9th, 2023. It was edited on June 29th, 2023 for accuracy.

Download Our CMMC Compliance Checklist: This checklist will help you determine the right CMMC controls, policies, and procedures to adopt for your organization to achieve CMMC 2.0 Certification.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”