An Introduction to the CMMC Certification

An Introduction to the CMMC Certification

The Defense Industrial Base (DIB) sector provides products and services that are essential to the military operations of the United States Department of Defense (DoD). The sector keeps intellectual property and sensitive information — officially categorized as federal contract information (FCI) and controlled unclassified information (CUI) — that are highly sought after by cybercriminals. If DIB companies fall victim to a cyberattack, this increases the risk to national security. 

To enhance the cybersecurity posture of the DIB sector, the Office of the Under Secretary of Defense for Acquisition and Sustainment developed the Cybersecurity Maturity Model Certification (CMMC) framework. 

What Is CMMC?

The CMMC model measures the cybersecurity maturity of an organization by assigning it a maturity level ranging from 1 to 5, with 5 being the highest. 

By classifying its vendors into different levels, the DoD ensures that contracts are awarded to vendors that have the appropriate levels of cybersecurity practices and processes in place. For example, only those who achieve at least the CMMC Certification Level 3 can handle projects that deal with CUI. 

Who Needs to Obtain CMMC Certification?

The DoD has required all of its vendors to pass the CMMC since September 2020. 

FAQ: Does my company still need to be CMMC-compliant if it does not handle CUI?

If you don’t possess CUI but handle FCI, then you must at least achieve CMMC Certification Level 1. But companies that solely produce commercial off-the-shelf (COTS) products do not have to get CMMC certification.

FAQ: Do DoD subcontractors also have to meet CMMC compliance? 

Yes, except if your company solely produces COTS products. Otherwise, the CMMC certification level that you need to achieve depends on the type and nature of information that flows from your prime contractor.

How Can You Achieve CMMC Compliance?

Unlike DFARS’s self-certification, only accredited CMMC third-party assessment organizations (C3PAOs) and individual assessors who will undergo a CMMC certification training can perform CMMC assessments. But beware of fake CMMC auditors! Only the CMMC Accreditation Body (CMMC AB) is authorized to provide a CMMC certification training and the accreditation.

What Can I Do Now to Prepare for CMMC?

A great starting point is to undergo a gap assessment. This step will help you determine the existing weaknesses and potential danger spots in your company’s cybersecurity posture.

When devising a plan to remediate these security vulnerabilities, make sure that you meet at least the minimum security requirements of your targeted CMMC certification level. The DoD has already released the technical frameworks that each level adopts, which are based on existing ones such as the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 and NIST 800-171.

Implementing the cybersecurity best practices and processes stipulated in these existing frameworks will put you on the right track to achieving your CMMC certification. While this sounds easy, complying with these security standards can become a grueling task, especially for small- and medium-sized businesses (SMBs) that have limited budgets and/or no internal staff with technical expertise. 

Fortunately, SMB owners like you can turn to Charles IT. We offer cost-effective compliance and security assessment services that will ensure that your company is compliant with all necessary industry regulations and standards. Get started with a gap assessment!

NOTE: In 2024, everyone will be required to move from CMMC to CMMC 2.0. Ensure you are prepared with our CMMC 2.0 Guide and let us know if we can help talk you through anything!

Editor's Note: This blog was originally published on August 3rd, 2020. It was edited on June 30th, 2023 for accuracy. 

Download Our CMMC Compliance Checklist: This checklist will help you determine the right CMMC controls, policies, and procedures to adopt for your organization to achieve CMMC 2.0 Certification.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”