Do you have a question about CMMC compliance? Check out our frequently asked questions below or contact our team of certified professionals for help.

CMMC 2.0 reorganizes the model into three levels, down from the original five. This change now aligns the CMMC levels with the underlying NIST controls by adding additional security practice domains. CMMC provides the government with a consistent method to measure Defense Industrial Base (DIB) contractor security control implementation. For those contractors at level two or three, a third party assessment team will validate the implementation of the CMMC practices prior to a contractor being awarded contracts with CMMC requirements. These assessments will be carried out by C3PAO’s and US Government auditing teams, for levels two and three respectively.
CMMC 2.0 applies to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the department of defense (DoD). All civilian organizations that do business with the DoD must comply with CMMC2.0, based on the type of CUI and FCI that they handle and exchange. The list of entities includes:
  • DoD prime contractors
  • DoD subcontractors
  • Suppliers at all tiers in the DIB
  • DoD small business suppliers
  • Commercial suppliers that process, handle, or store CUI
  • Foreign suppliers
  • Team members of DoD contractors that handle CUI such as IT managed service providers

DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC compliance helps ensure that they secure this information the same way that military departments and government agencies do.

Compliance with NIST standards are levied as contractual requirements through inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. CMMC requirements result in a contractor self-assessment, or a third-party assessment by a CMMC Third Party Assessor Organization (C3PAO), to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements. 

Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.

CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels.

Becoming compliant involves identifying your required compliance level, conducting a gap assessment, and implementing the necessary cybersecurity controls. Organizations must document policies and undergo third-party assessments.

The timeline can vary depending on your organization’s preparedness and the level of compliance required. On average, the entire process can take anywhere from 12-18 months.

CMMC 2.0 certifications must be renewed every three years. Organizations are required to undergo a new assessment to ensure that they continue to meet standards for their compliance level. Significant changes such as mergers and acquisitions could trigger the need for a new third party assessment if changes to the assessed system take place. Additionally, Organizations will also need to complete an annual self-assessment.

CMMC 2.0 focuses on protecting Federal Contract Information and (FCI) and Controlled Unclassified Information (CUI).

It is expected to be fully implemented by 2025, with requirements gradually integrated into DoD contracts starting in 2024. Organizations should monitor updates to ensure they meet compliance deadlines for specific contracts. To learn more, check out our timeline here.
More resources can be found on the official CMMC website managed by the DoD. Additional information can be found in the NIST 800-171 framework and through Certified Third-Party Assessment Organizations (C3PAOs).

Don’t Miss Out On Contracts! Meet CMMC 2.0 Compliance Requirements.

As a Registered Provider Organization (RPO), our team at CTI has CMMC certified professionals to help support all your CMMC needs. We have over 20 years of combined experience supporting DoD programs in information technology, information assurance, and cybersecurity. Contact us today to discuss more about your unique situation and how we can help!

Learn more about CTI’s LevelUp Roadmap & Process here