×

Diving into CMMC Requirements: Essential Steps for Compliance Readiness

01-Apr 2025 Raj Raghavan

The Cybersecurity Maturity Model Certification (CMMC) Program is designed to ensure that defense contractors and subcontractors meet stringent information protection requirements to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) against threats.

Achieving CMMC compliance is a prerequisite for securing contracts (excluding Commercial-Off-The-Shelf procurements) that support the Department of Defense (DoD). To win or maintain a contract with the DoD, you must meet the specific CMMC level that applies to the type of work you will be providing and the data involved. For existing DoD partners, CMMC compliance is required to renew contracts and remain competitive in the marketplace.

So—how can you prepare your company for a CMMC assessment?

Understanding the Different Levels of CMMC Compliance

The CMMC framework consists of three tiers, each with increasing requirements to protect FCI and CUI data.

The CMMC 2.0 model outlines three maturity levels (ML) of cyber hygiene:

  • Level 1: Ensures basic cybersecurity practices are in place for DoD contractors managing FCI.
  • Level 2: Introduces additional security measures to protect against more sophisticated threats.
    • If your organization handles CUI, Level 2 includes data protection practices that secures CUI and protects against threats.
  • Level 3: Implements the highest level of cybersecurity standards for the most sensitive government information.
    • Level 3 is reserved for highly sensitive contracts concerning national security, intelligence, or critical defense.

As a DoD contractor or subcontractor, achieving the specified CMMC level is mandatory for contract awards. Prime contractors must ensure that all subcontractors in their supply chain meet or exceed the required CMMC certification level. The contract flow-down requirement ensures that every tier maintains robust cybersecurity safeguards.

It’s also worth noting that under the revised CMMC rule, the DoD contract solicitation will specify the minimum CMMC level and assessment type required. In short: You won’t have the option to choose your level. The solicitation will dictate the cybersecurity maturity level you must achieve and whether it requires a self-assessment or an assessment from a CMMC Third-Party Assessor Organization (C3PAO). While you can aim for a higher level if it aligns with your strategic goals, you must at least meet the specified level to be eligible for the contract award.

Let’s delve deeper into each of the CMMC levels.

CMMC Level 1

At Level 1, your focus is on the basic protection of FCI. This level is intended for companies that handle FCI but not CUI. To achieve Level 1 compliance, you must adhere to 17 basic cyber hygiene practices and meet the 15 security requirements outlined in FAR clause 52.204-21.

You are required to perform an annual self-assessment and submit it to the DoD’s Supplier Performance Risk System (SPRS) before you can be awarded any CMMC Level 1 contracts or subcontracts. A company officer must also sign an annual affirmation of compliance, verifying that the self-assessment is accurate and complete. Bear in mind that all security requirements at this level must be fully met, and that you cannot submit a Plan of Action and Milestones (POA&M) with the Level 1 self-assessment.

CMMC Level 2

Level 2 hinges on the protection of CUI. Depending on the type of information processed, transmitted, or stored, you will need to undergo either a self-assessment or a C3PAO assessment every 3 years, as specified in the solicitation. You must also provide an annual affirmation attesting to your compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Additionally, Level 2 requires the submission of your SPRS score on an annual basis, similar to Level 1. Depending on certain objectives, contractors and subcontractors may have an open POA&M item.

Currently, there are over 80,000 contractors classified under Level 2.

CMMC Level 3

Level 3 is designed for the highest level of protection against advanced persistent threats. Companies at this level require a government-led certification by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). While DIBCAC assessments are not always required immediately at contract award, contractors may receive conditional certification if certain controls are incomplete but have an approved POA&M.

This level applies to the most sensitive and high-risk DoD projects and includes an additional 24 requirements from NIST SP 800-172. Only about 1% of the Defense Industrial Base (DIB) is affected by Level 3 requirements. To maintain Level 3 status, you must achieve final Level 2 certification, undergo a DIBCAC assessment every 3 years, and provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

CMMC Readiness Best Practices

  • Develop a solid system security plan (SSP): Your SSP can make a strong first impression by demonstrating your understanding of the material, considering all requirements, and articulating how you satisfy them in your SSP.
  • Document policies and procedures—and execute them: Ensure your organization has policies and procedures for each control family. Review them regularly and document all third-party service providers used to process, store, or disseminate CUI. Don’t wait until your official assessment to compile the correct documentation.
  • Carry out an internal review or a third-party readiness assessment: You can utilize the DoD’s CMMC Assessment Guide to help conduct the internal review. However, often times organizations may think they fully understand the requirements but end up misinterpreting things, so having a trusted third-party do the audit helps avoid mistakes.
  • Engage a C3PAO: If your CMMC level involves third-party certification, building a relationship with a C3PAO is nonnegotiable. With 80,000 contractors and less than 60 C3PAOs, you may want to get your assessments scheduled sooner rather than later.

Conclusion

CMMC compliance is a prerequisite for winning and maintaining contracts with the DoD. Whether you are an existing DoD partner or new to DoD contracting, conducting a thorough self-assessment of your information systems is the best way to prepare. Review security requirements and implement relevant cybersecurity measures, as well as take corrective actions to meet any outstanding requirements.

Need help navigating CMMC compliance? Securitybricks is one of a select few firms holding both FedRAMP 3PAO and CMMC C3PAO accreditations. We offer a phased approach tailored to your security and compliance needs, ensuring you have the right information and tools for long-term success. Securitybricks is part of Aprio, a premier business advisory and CPA firm.

We help you navigate the complexities of CMMC compliance with confidence. Get in touch today.