Cybersecurity Maturity Model Certification (CMMC) Compliance

The Cybersecurity Maturity Model (CMMC) certification was designed by the U.S. Department of Defense to help strengthen the cybersecurity posture of the Defense Industrial Base. Previously, defense contractors were required to certify themselves as compliant with NIST SP 800-171 – a major contributor to the CMMC. After the CMMC goes fully into effect, any organization that wants to work on defense contracts will be required to maintain some level of CMMC compliance.

Download the eBook Schedule a Demo

Cybersecurity Maturity Model Certification Compliance

Why does Cybersecurity Maturity Model Certification (CMMC) Compliance matter?

The Cybersecurity Maturity Model Certification was designed to protect the controlled and otherwise sensitive data that is given to an organization as part of a defense contract. This includes both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Who needs this certification?

Any organization that plans to work as a prime contractor or subcontractor on a defense contract will need to achieve Cybersecurity Maturity Model Certification compliance once the regulation goes into full effect. The level of CMMC compliance required will depend on the contract itself, the organization’s role within the contract, and the company’s access to FCI and CUI as part of the contract.

The details of CMMC 2.0 are still in the works, and the standard is not expected to roll out until May 2023. At that point, defense contracts will begin a 5-year phase-in period until all new contracts will require CMMC compliance.

Levels of CMMC

Originally, the Cybersecurity Maturity Model Certification included five levels of compliance broken into practices and processes. However, a revision of the standard to CMMC 2.0 eliminated the processes and reduced the levels to the following three:

  • Foundational (Level 1)
  • Advanced (Level 2)
  • Expert (Level 3)

These modifications eliminated the “transitional” phases 2 and 4, retaining three progressive levels. These modifications were intended to decrease the complexity and cost associated with compliance for small and medium-sized businesses (SMBs).

As a result of the modifications, the CMMC closely mirrors compliance with NIST standards. Level 2 compliance is equivalent to full compliance with NIST SP 800-171, while Level 3 draws from NIST SP 800-172 as well.

CMMC Compliance Requirements

The required level of CMMC compliance that an organization will have to achieve depends on the details of the contract in question. However, every defense contractor will be accepted to achieve at least Cybersecurity Maturity Model Certification Level 1 compliance, which deals with the protection of FCI. Higher levels of compliance will be needed for organizations with access to CUI.

The requirements for compliance depend on the required level and include:

  • Level 1: Level 1 compliance will require an annual self-assessment against 17 security controls. These controls are outlined in FAR 52.204-21 Basic Safeguarding of Covered Contractor Information.
  • Level 2: Level 2 compliance is required for organizations with access to CUI and is equivalent to full compliance with NIST SP 800-171. Level 2 compliance requires assessments once every three years by a third-party auditor for some programs and annual self-assessments for others, depending on the sensitivity of the information involved.
  • Level 3: Level 3 compliance requires full NIST SP 800-171 compliance and compliance with some of the controls of NIST SP 800-172. Compliance audits for CMMC Level 3 will be led by government auditors.

Since CMMC 2.0 is still in development, the exact requirements for compliance with each level are still in flux. However, the collection of security controls and processes required for Level 1 and 2 compliance has already been defined, enabling organizations to get a head start on achieving compliance before it is required to participate in defense contracts.

How to Get a CMMC Certification

The process for earning a CMMC certification depends on the level of the compliance required. For those levels only requiring self-assessment, an Assessment Guide has been published by the CMMC. After completing the self-assessment, a senior company official will be required to annually affirm the company’s compliance.

For CMMC compliance requiring third-party audits, an organization will need to schedule these audits with an accredited Third Party Assessment Organization (C3PAO) and potentially a government assessor. The list of accredited C3PAOs is available on the CMMC Marketplace, and processes for engaging in and completing audits will be available closer to the effective date of CMMC 2.0.

Reach CMMC Compliance with Check Point

Achieving and maintaining Cybersecurity Maturity Model Certification compliance requires compliance with NIST SP 800-171 and potentially NIST SP 800-172 on any systems with access to FCI and CUI. Accomplishing this requires implementing required security controls and demonstrating ongoing compliance.

Check Point CloudGuard can help organizations to achieve and maintain CMMC compliance by performing ongoing monitoring of corporate systems for compliance with the regulation. To learn more about how Check Point can help your organization to implement the required security controls and monitor and maintain them in the long term, sign up for a free demo of CloudGuard.


This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.