What is CMMC? What Defense Contractors Must Know.

HomeBlogBlogWhat is CMMC? What Defense Con...

In an effort to protect national security, the federal government moved to bring military contractors and businesses in the supply chain under a single cybersecurity standard. Known as the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) merged the best protocols to further this goal.


The DoD had repeatedly attempted to minimize the risks posed by nation states and advanced persistent threats. In 2016, the DoD put forward the Defense Federal Acquisition Regulation Supplement. This litany of cybersecurity measures was designed to prompt direct military contractors and small businesses to adopt defensive postures and protect Controlled Unclassified Information, also known as CUI. The mandate involved compliance with the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171. However, too many organizations failed to comply and hackers routinely pilfered off valuable CUI.


As threat actors continued to penetrate networks within the military-industrial base, it was apparent that self-assessments failed and a single standard was critical. In 2019, CMMC 1.0 was launched during the Trump Administration which called for third-party CMMC assessments within a five-tier system. The rollout stalled as the Biden Administration sought changes. Now, CMMC 2.0 is coming into view and small and mid-sized businesses that generate profits from DoD contracts or the military supply chain are tasked with preparing.

What Does CMMC 2.0 Involve?

The newly-minted CMMC 2.0 reduces the number of cyber hygiene tiers from five to three. Each level calls for businesses to demonstrate compliance based on the level of CUI they store or transmit that matches the appropriate CMMC 2.0 tier. These include the following.

• Level 1 (Foundational): Companies that manage Federal Contract Information must bring their cybersecurity defenses in line with 17 basic protocols outlined in NIST 800-171. This information is not necessarily considered sensitive to national security. Under CMMC 2.0, small and mid-sized businesses will be allowed to conduct an in-house assessment and submit the findings to the Supplier Performance Risk System (SPRS) for review on an annual basis. Failure to submit the data or meet Level 1 CMMC compliance could sideline an organization.

• Level 2 (Advanced): Operations that manage CUI must bring their cyber hygiene into compliance with the first 17 NIST practices as well as 93 others. Although complicated and quite rigorous, the DoD plans to allow some businesses to conduct in-house assessments and submit their findings to the SPRS annually. Other companies that house or transmit more sensitive CUI will be required to undergo a CMMC assessment conducted by a Third Party Assessment Organization (C3PAO) every three years.

• Level 3 (Expert): Military contractors and organizations tasked with protecting highly sensitive CUI must meet the rigorous standards of Level 3. This entails complying with 110 NIST 800-171 controls. Additional measures are expected to be issued by the DoD and independent assessment will be mandated.

Small and mid-sized businesses are the most likely to experience challenges navigating the CMMC 2.0 expectations. Understanding the difference between CMMC Level 2 and 3 can prove complicated. Even if business professionals recognize they require Level 2 cyber hygiene, resolving the question of in-house or a Third Party Assessment Organization (3PAOs) assessment has significant ramifications.

Does Your Business Need To Comply with CMMC 2.0?

It’s essential businesses that derive benefits from the military supply chain take appropriate measures as soon as possible to harden their network defenses. Although the final CMMC 2.0 guidelines are still in the works, an expectation exists that contractors meet NIST 800-171 standards and conduct assessments. That means working with an experienced cybersecurity firm to ensure your operation does not suffer a breach by a foreign threat actor.

Depending on the type of CUI your operation stores and transmits, a NIST 800-171 Basic Assessment and score reporting may currently be necessary. The penalty for failing to meet these national security mandates typically includes high fines and suspension from bidding or working on military contracts. So, the short answer is: Yes. Your business needs to remain in compliance with DoD standards while the final CMMC 2.0 regulations are being completed.

How To Prepare for CMMC 2.0

A timeline published by the DoD indicates its rulemaking could conclude as soon as August 22 or at least by November 2023. When the CMMC 2.0 mandate drops, businesses should anticipate companies rushing to enlist the help of cybersecurity experts and Third Party Assessment Organizations. Getting caught in a bottleneck could impede our ability to bid on lucrative DoD contracts or participate as a subcontractor.

The critical point is that waiting could cost your business time and money. But by enlisting the help of a cybersecurity firm now, the following proactive measures can be taken to ensure you meet the CMMC 2.0 requirements.

  • Assess Information Security: Have a third-party conduct a thorough review of your cybersecurity practices. Identifying security weaknesses now allows you time to close them and meet the standards.
  • Identify Your CMMC Level: Understanding the sometimes subtle differences between CUI and sensitive CUI requires in-depth knowledge. Consider having a detailed analysis conducted that identifies precisely the CUI you store or transmit and the requirements under CMMC 2.0.
  • Implement Pen Testing: Penetration testing involves an outside entity probing your network for vulnerabilities. The process mirror that of a sophisticated hacker or advanced persistent threat working for a rival nation. Once an ethical hacker has completed the process, business leaders receive a detailed report. This serves as a roadmap to close cybersecurity gaps and harden your defenses.

It’s important to work with a reputable Third Party Assessment Organization that also communicates effectively. The CMMC 2.0 regulations can be highly technical and complicated. Business leaders outside the managed IT and cybersecurity sector needs a liaison who takes that burden off their shoulders. For additional information on how to prepare for CMMC 2.0 – read this previous article.

Contact Sedulous Consulting Services For CMMC 2.0 Planning

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with businesses of all sizes to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous.