Cybersecurity Maturity Model Certification (CMMC) Compliance Requirements

CMMC CERTIFICATION SERVICES HELP ORGANIZATIONS ALIGN WITH THE DEPARTMENT OF DEFENSE (DOD) CYBERSECURITY MANDATEs

For defense contractors, Cybersecurity Maturity Model Certification (CMMC) compliance is required for contractors and subcontractors with Controlled Unclassified Information (CUI). While all contractors and subcontractors must perform an annual self-assessment, those handling information that is considered critical to national security must be assessed by a C3PAO (CMMC Third Party Assessment Organization), or an accredited CMMC certification body.

CMMC certification services start with a gap analysis which assesses an organization's current CMMC processes and practices and then compares them to those needed to meet CMMC compliance requirements. A third-party assessment enables a smoother transition to new contract eligibility requirements, and contractors typically achieve compliance more efficiently.  

By March 2025, it is estimated that CMMC 2.0 rule will take effect for all new contracts.  On average, it takes 12-18 months for an organization to implement the requirements needed to handle information critical to national security.  

Overview of the CMMC

Cybersecurity mandates have made their way through the defense industry, becoming more important as government-led efforts increase to protect the U.S. defense supply chain from outside cyber threats and lower risk levels throughout the larger defense sector. 

The Cybersecurity Maturity Model Certification (CMMC) is the latest verification mechanism designed by the Department of Defense (DoD) and Office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)) to make sure that all cybersecurity controls and processes will properly protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) networks. CUI refers to any government created or owned information which would require safeguarding or dissemination controls according to any applicable laws, regulations, and government-ordained policies.

CMMC 2.0 Announced by the Department of defense

On November 4, 2021, the U.S. Department of Defense (DoD) released updates to the Cybersecurity Maturity Model Certification (“CMMC”) program, called “CMMC 2.0.” The DoD intends to engage in additional rulemaking to refine and finalize CMMC 2.0. Although the overall goal of the program remains focused on safeguarding sensitive unclassified information, CMMC 2.0 includes several important differences from the original program.

CMMC 1.0 vs CMMC 2.0

The DoD’s announcement indicates that it plans to update the CMMC program to streamline the model, reduce assessment costs, and provide for more flexible implementation. Below are some key differences between CMMC 1.0 versus the proposed CMMC 2.0:

• The total number of assessment levels has been reduced from 5 to 3
• A self-assessment is allowed at Level 1 and at Level 2 (if the contractor is not handling “critical national security information”)
• CMMC 2.0 aligns with the required practices for cybersecurity standards issued by the National Institute of Standards and Technology (NIST)
• The total number of required security practices is reduced
• Oversight of third-party assessors is increased
• CMMC 2.0 allows Plans of Action & Milestones (POA&Ms) and waivers to CMMC requirements under certain, limited circumstances; and
• By September 2025 it is estimated that third party Certification assessment requirements will be introduced at Level 2.

CMMC 2.0 Implementation Timeline

The proposed changes still need to go through the rulemaking process, DoD anticipates this could take 9-24 months, and contractors will not be required to comply with CMMC 2.0 until the forthcoming rules go into effect. 

This differs significantly from the prior timeline for CMMC 1.0, which included pilot programs and gradual implementation, culminating with the mandate for widespread inclusion of the CMMC requirements in all DoD solicitations by October 1, 2026. 

For CMMC 2.0, there currently is no mention of pilot programs, and DoD is suspending the current CMMC pilot program while the rulemaking process is ongoing. 

It appears the timeline for implementation has been accelerated, as DoD stated CMMC 2.0 will become a contract requirement once the rulemaking is complete.

The Importance of CMMC 

The CMMC process verifies that all considered contractors will have adequate cybersecurity controls and policies in place to align with rigid defense requirements and security standards. CMMC enables organizations to:

• Add value and cost-effectiveness to their integrated QMS approach
• Optimize their Enterprise Risk Management
• Provides a benchmark against which they can evaluate the organization’s current level of capability of its process, practices and methods and set goals and priorities for improvement

Your Trusted Partner

TÜV SÜD’s experienced Information Security Management System (ISMS) teams possess the accreditation and expertise to advise on CMMC. Through our worldwide network of IT governance professionals, we can provide information on CMMC. Furthermore, TÜV SÜD’s experts actively participate in international standard committees, and we have a complete understanding of the latest Personally Identifiable Information (PII) regulatory developments around the world.

Contact Us to Learn More About CMMC

Learn more about CMMC:

• CMMC Whitepaper

• CMMC Blog
• CMMC Frequently Asked Questions (FAQ)