CMMC Framework: The New Cybersecurity Compliance for Defense Contractors

The initial rollout of CMMC (Version 1.0) in 2020 sent shockwaves through the DIB. While its intent was sound, the execution was highly complex. CMMC 1.0 consisted of five maturity levels and introduced new, unique cybersecurity practices that were not found in any existing NIST standard. Small and medium-sized businesses (SMBs) across the defense supply chain raised significant concerns about the exorbitant costs, the administrative burden, and the confusing complexity of achieving compliance.

In response to this industry pushback and following an extensive internal review, the DoD announced CMMC 2.0 in late 2021. CMMC 2.0 was designed to simplify the framework, reduce compliance costs for small businesses, and align the requirements strictly with widely accepted federal cybersecurity standards.

The key changes introduced in CMMC 2.0 included:

• Streamlined Levels: The framework was reduced from five levels down to three.
• Alignment with NIST: CMMC 2.0 eliminated all CMMC-unique practices. The requirements are now mapped 100% directly to NIST SP 800-171 and NIST SP 800-172.
• Flexible Assessments: It re-introduced self-assessments for certain lower-risk contracts, reducing the bottleneck and cost of requiring third-party assessors for every single contractor.
• Allowance of POA&Ms: CMMC 2.0 allowed contractors to achieve certification even if they had a few unmet requirements, provided they had a strict Plan of Action and Milestones (POA&M) to remediate them within a specific timeframe (typically 180 days).

Before diving into the specific levels of CMMC, it is critical to understand the two specific types of unclassified data that the framework is designed to protect. A contractor's required CMMC level is entirely dependent on which type of data they handle.

1. Federal Contract Information (FCI)

Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service to the government. This information is not intended for public release. Examples of FCI include contract performance reports, organizational charts, billing information, and general project communications. Crucially, FCI does not include information provided by the government to the public (like a public job posting) or simple transactional information (like processing a payment). If a contractor only handles FCI and nothing more sensitive, they only need to comply with the baseline requirements of CMMC Level 1.

2. Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is significantly more sensitive than FCI. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. While it is not strictly "Classified" (like Secret or Top Secret data), its unauthorized disclosure could pose a threat to national security or the privacy of individuals. The DIB handles a massive volume of CUI. Examples include:

• Export Controlled Data: Information related to defense articles regulated by the International Traffic in Arms Regulations (ITAR).
• Controlled Technical Information (CTI): Engineering drawings, source code, technical reports, and specifications for military hardware.
• Naval Nuclear Propulsion Information (NNPI).

If a contractor creates, processes, stores, or transmits CUI, they must adhere to the stringent requirements of CMMC Level 2 or, in highly sensitive cases, Level 3.

CMMC 2.0 operates on a tiered structure. As a contractor handles more sensitive information, the required cybersecurity maturity level—and the associated assessment rigor—increases accordingly.

Level 1: Foundational (Protecting FCI)

Level 1 is the entry point for the CMMC framework and applies to contractors who only handle Federal Contract Information (FCI). The goal of Level 1 is to establish basic cybersecurity hygiene.

• Practices: It requires the implementation of exactly 17 basic cybersecurity practices. These practices are directly derived from the FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Examples include implementing antivirus software, enforcing passwords, updating operating systems, and physically controlling access to facilities.
• Assessment: For Level 1, contractors are permitted to perform an Annual Self-Assessment. A senior company official must formally affirm that the 17 practices are implemented and enter this score into the DoD’s Supplier Performance Risk System (SPRS).

Level 2: Advanced (Protecting CUI)

Level 2 is the core of the CMMC framework and applies to the majority of defense contractors who handle Controlled Unclassified Information (CUI). This level ensures that the organization has robust, proactive cybersecurity defenses capable of resisting more sophisticated attacks.

• Practices: Level 2 requires the implementation of exactly 110 practices. These 110 practices are a one-to-one mirror of the requirements found in NIST SP 800-171 Revision 2. The domains covered include Access Control, Incident Response, Risk Assessment, System and Communications Protection, and Media Protection.
• Assessment: The assessment requirement for Level 2 is bifurcated based on the criticality of the CUI involved in the specific contract:
  • Level 2 with C3PAO Assessment: The vast majority of Level 2 contracts will require a Triennial Third-Party Assessment. The contractor must hire a Certified Third-Party Assessment Organization (C3PAO)—an independent auditing firm accredited by the Cyber AB—to conduct a rigorous, on-site audit of their IT systems to verify that all 110 controls are fully implemented and effective.
  • Level 2 with Self-Assessment: For a small subset of contracts involving "non-prioritized" CUI, the DoD may allow an annual self-assessment, similar to Level 1, but assessing all 110 NIST 800-171 controls.

Level 3: Expert (Protecting High-Priority CUI)

Level 3 applies to a very small percentage of DIB companies working on the DoD's most critical, highly sensitive, and cutting-edge programs (e.g., advanced weapons systems development). These contractors are prime targets for APTs and require the highest level of defense.

• Practices: Level 3 requires the 110 practices of Level 2, plus a subset of approximately 24 enhanced security requirements drawn from NIST SP 800-172. These enhanced controls focus heavily on advanced threat hunting, penetration testing, and building systems capable of sustaining operations during a cyber attack.
• Assessment: Because of the extreme sensitivity of these programs, commercial C3PAOs are not permitted to conduct Level 3 assessments. Instead, these Triennial Assessments are conducted directly by government officials from the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

A significant improvement in CMMC 2.0 is the formalized acceptance of Plans of Action and Milestones (POA&Ms). In the original version, a contractor had to pass 100% of the controls to get certified. If they missed one control out of 130, they failed.

Under CMMC 2.0, the DoD recognizes that perfect compliance is difficult. If a contractor undergoes a C3PAO assessment for Level 2 and falls short on a few minor requirements, they can still receive a conditional certification.

• The Rules of POA&Ms: Not all controls are eligible for a POA&M. Critical security controls (weighted heavily in the NIST scoring system) must be fully implemented at the time of the assessment. If a critical control is absent, the contractor fails.
• Time Limit: If a POA&M is allowed for a minor deficiency, the contractor typically has a strict 180-day window to remediate the issue and close the POA&M. If they fail to do so, their conditional certification is revoked, and they risk losing the contract.

Achieving CMMC certification is not an IT project that can be completed in a few weeks; it is a major organizational transformation that typically requires 12 to 18 months of sustained effort. Contractors must approach preparation systematically.

Step 1: Determine the Required CMMC Level

The first step is determining what type of data the company handles. Review existing DoD contracts. If the contract includes DFARS 252.204-7012, the company handles CUI and must prepare for CMMC Level 2. If it only includes FAR 52.204-21, they handle FCI and need Level 1. When in doubt, consult with the prime contractor or the DoD contracting officer.

Step 2: Define the CUI Enclave and System Boundary

This is perhaps the most critical architectural decision a contractor will make. Applying NIST 800-171 controls to every single computer, server, and employee in a large organization is incredibly expensive and administratively crushing. Instead, contractors should aggressively scope their environment by creating a "CUI Enclave." This involves logically and physically isolating the systems that process, store, or transmit CUI from the rest of the corporate network (e.g., using a separate VLAN, dedicated firewalls, and restricted access controls). By doing this, the rigorous CMMC Level 2 requirements apply only to the enclave, drastically reducing the cost and complexity of the eventual C3PAO assessment.

Step 3: Conduct a Readiness Assessment and Gap Analysis

Once the boundary is defined, the organization must conduct a brutally honest gap analysis against the required standard (either the 17 practices for Level 1 or the 110 practices of NIST 800-171 for Level 2). This should ideally be performed by an external Governance, Risk, and Compliance (GRC) consultant or a Registered Provider Organization (RPO) who understands how C3PAOs interpret the rules. The output of this gap analysis is the master to-do list for the remediation phase.

Step 4: Remediation and Documentation (SSP Construction)

The remediation phase involves purchasing and deploying security tools (e.g., MFA, SIEM, Endpoint Detection and Response), reconfiguring networks, and training employees. Crucially, CMMC is an evidence-based audit. It is not enough to simply have a firewall; the contractor must prove that the firewall is configured correctly and managed according to policy. Therefore, extensive documentation is required. The most important document is the System Security Plan (SSP). The SSP is a comprehensive, living document that describes the IT environment, defines the system boundary, and explicitly details exactly how the organization implements each of the 110 NIST 800-171 controls. A C3PAO will read the SSP before they ever look at a computer screen. If the SSP is incomplete or inaccurate, the assessment will likely fail.

Step 5: Engage a C3PAO for the Formal Assessment

Once the organization believes it is fully compliant (or has a small number of acceptable POA&Ms), they must contract with an authorized C3PAO listed on the Cyber AB marketplace to schedule the formal assessment. The C3PAO will review the SSP, interview system administrators, inspect technical configurations, and observe processes to verify compliance. Upon successful completion, the C3PAO submits the recommendation, and the certification is awarded, clearing the contractor to bid on and execute DoD contracts.