SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The Cybersecurity Maturity Model Certification (CMMC) is a new framework that aims to better secure federal contract information (FCI) and controlled unclassified information (CUI) that is stored, processed, or transmitted by defense contractors and the entire defense industrial base (DIB).

American defense data is incredibly valuable, and that includes highly sensitive personnel records and technical data. As such, the DIB continues to be a prime target for exploitation, and because the leak of such could endanger the lives of government personnel and service members—not to mention the risk of billions of financial losses—the Department of Defense (DoD) began laying the groundwork that, when rulemaking is complete, will be CMMC.

As one of the first authorized CMMC third-party assessor organizations (C3PAOs), we’re going to provide a complete introductory overview of this new certification, including more on what it constitutes, who will need CMMC, the requirements, and how to get certified so that when the program truly launches, you’ll be able to proceed more quickly.

What is CMMC?

Initially announced back on January 31, 2020, CMMC is meant to mitigate federal data risk, standardize protection practices, and improve cybersecurity preparedness among those involved with the U.S. government and the country’s defense.

As overseen by the DoD together with CMMC’s governing body Cyber AB, the certification builds upon previously introduced initiatives. As of September 2017, contractors—as per DFARS 252.204-7012—were required to comply with the controls specified in the NIST SP 800-171. DFARS 7019 was implemented, further requiring them to self-assess and enter their scores into SPRS (Supplier Performance Rating System).

(At the same time, DFARS 7020 and 7021 were announced, which will create the CMMC program that is currently anticipated to be enacted in 2024.)

But suspicion grew that these organizations weren’t always attesting correctly or truthfully, and so they set up CMMC, under which DIB contractors will be required to implement certain cybersecurity protection standards and as required, obtain CMMC certification—in some cases, by way of a C3PAO assessment—in order to be eligible for a DoD contract award.

Who Needs CMMC Compliance?

If you’ve noticed the sole focus on the defense industry, that’s not an accident. There are hundreds of thousands of defense contractors that participate in and make up the current DIB, and if you’re currently doing business as part of that base, you’ll soon need to become CMMC certified. That includes:

  • Any organization that is a contractor or subcontractor within the Defense Industrial Base (DIB) and possesses Federal Contract Information (FCI).
  • Organizations that deal with Controlled Unclassified Information (CUI)—especially those considered particularly high-risk.

Moreover, if you’re not yet part of the DIB but have been—or perhaps may in the future—considering expanding your trade to the DoD, you’ll also need to start making arrangements to comply with the stringent requirements.

What are the CMMC Compliance Requirements?

Speaking of requirements, these will vary based on what level of CMMC compliance you’ll be required to achieve, and that is dictated by the type of information you handle. Once you’ve determined whether that data is either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you’ll be able to hone on the level you need.

There are three total levels with increasingly expanded requirements:

Level

Details

Level 1
(Foundational)

  • Focused on the protection of FCI
  • Not expected to require assessment by C3PAOs—instead, you’ll be required to self-assess.

Requirements Include: 17 of the NIST SP 800-171 requirements as specified in FAR Clause 52.204-21 with no other additional practices, which includes your demonstrating of basic cyber hygiene practices that help protect FCI.

Level 2
(Advanced)

  • Focused on the protection of CUI
  • Requires assessment by C3PAO

Requirements Include: The 110 requirements from NIST 800-171, which involve creating an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI.

Level 3
(Expert)

  • Focused on the protection of CUI
  • Requires assessment by C3PAO (against L2 controls)
  • Expected to require assessment by DoD for the L3 delta controls (pulled from NIST 800-172)

Requirements Include: The 110 requirements from NIST 800-171, plus a subset of requirements from NIST SP 800-172, which involves:

  • The implementation of standardized and optimized processes and resources to monitor, scan, and process data forensics.
  • Enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs).

How Do You Get CMMC Certified?

If you’ve concluded that you need to undergo some level of CMMC, you can expect the process to follow at least these key steps.

1. Determine Scope

You’ll need to create a comprehensive inventory of all assets that store, process, or transmit either FCI or CUI (depending on your assessment level), and that may even include systems or services provided by third parties

2. Create Your System Security Plan SSP and Verify Implementation of Practices

This plan is critical to your assessment, and it should contain:

  • Details on personnel involved with the environment where FCI/CUI is stored,
  • A description of said environment, and
  • Explanations as to how you’ve implemented the practices in NIST SP 800-171—you’ll also need additional proof that they’re in place.

3. Engage a C3PAO

At this point, you should be fairly ready to undergo a CMMC assessment, and you can find an assessor on Cyber AB’s marketplace that lists those C3PAOs that are authorized to perform them.

4. Define Your Internal Assessment Team

Because your assessment will be a collaborative effort with your C3PAO, you’ll also need to identify and assign at least two other roles to go with the subject matter experts (SMEs) that’ll need to be available to discuss your in-scope assets:

  • An assessment official (AO): Leads and manages the engagement (a decision-making authority).
  • A point of contact (PoC): Responsible for daily coordination between your organization and the C3PAO assessors.
5. Plan Your Assessment with Your C3PAO

During this phase, you should disclose details regarding the following with your C3PAO:

  • Any previous self-assessments
  • Your estimated timeframe for beginning the assessment
  • Information system architecture, boundaries, and inventory
  • Where your in-scope assets are physically located
  • Any inheritance or shared responsibility with a managed service provider, cloud service provider, etc.

Meanwhile, your C3PAO will also establish how they’ll collect and review your evidence, which may include documentation, interviews, and planned observations/tests.

6. Conduct the Assessment

At this point, the attestation of your adherence to the required practices will begin, and your C3PAO will determine if you’ve met or not met the CMMC standard.

If you disagree with anything that they decide does not meet the standard, you may have an opportunity to appeal (but this is still in development).

7. Remediate Gaps

For those practices your assessor identifies need improvement before they can sign off, CMMC may allow:

  • Plans of Action and Milestones (POA&M): Must be completed within 180 days of the completion of the assessment.
  • Limited Practice Deficiency Correction Designation: For more minor issues (i.e., insufficient documentation, etc.).

Our whitepaper titled “How to Get CMMC Certified” provides greater detail on each of these steps and will help paint a more thorough picture of the CMMC process.

Moving Forward with CMMC

Though rulemaking is ongoing and the certification has yet to go live, upon its launch, CMMC, and its stringency will make a challenging mountain that DIB contractors will be required to climb. But now that you’ve acquired a thorough overview of the certification program, you can get started on understanding how your organization specifically fits into it.

There are also some other things you can do to prepare for CMMC in the meantime, and there’s a specific opportunity that may suit your organization as an interim step—it’s called the Joint Surveillance Program (JSP), and you can learn more about it in our upcoming articles, including the experience of one contractor who has already gone through it, here:

  • What is Joint Surveillance and How Can Organizations Participate
  • Insight Into the Joint Surveillance Voluntary Assessment (JSVA) Program

Additionally, organizations may choose to have Schellman perform an assessment using the NIST 800-171 standard or a CMMC gap assessment in preparation for CMMC certification. If you’d like to proceed with the JSP, a NIST 800-171 assessment, or a CMMC gap assessment and you’d like to learn more about how Schellman can help, contact us today.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.