CMMC Assessment
Let’s jump in and learn:
What Is a CMMC Assessment?
CMMC has three compliance levels that align with an organization’s risk profile, which are associated with the type of data they use, store, and transmit.
CMMC is a mandatory requirement for all companies working with the U.S. Department of Defense (DoD), with Level 1 being the least stringent requirement and Level 3 being the most stringent. A formalized assessment confirms compliance with CMMC Level 2 and Level 3 requirements. Based on the less sensitive data that they manage, Level 1 organizations are only subject to CMMC self-assessments.
A CMMC assessment is focused on an organization’s risk prevention and cybersecurity systems and practices. Whether completed by a third-party or performed as a self-assessment, CMMC assessments are compulsory for organizations that do business with the DoD.
When initially introduced in November 2021, CMMC 2.0 contained stringent security specifications that required third-party assessments at CMMC levels 2 and 3. As noted above, those requirements were ultimately included in the CMMC Final Rule, which was adopted in October 2024.
Here are the specific CMMC requirements at each level:
CMMC Level 1:
Level 1 applies to DoD contractors and subcontractors who manage Federal Contract Information (FCI) only. When CMMC goes into full effect in the March 2025 timeframe, Level 1 organizations will be required to perform annual self-assessments and have their results submitted into the Supplier Performance Risk System (SPRS).
CMMC Level 2:
Level 2 applies to DoD contractors and subcontractors who manage Controlled Unclassified Information (CUI). A small proportion of Level 2 organizations (approximately 5%) will be required to perform annual self-assessments and submit their results into SPRS, as outlined in the Level 1 description above.
The remaining 95% will be subject to formal triennial assessments by a Certified Third-Party Assessor Organization (C3PAO). Their results will be submitted into the Enterprise Mission Assurance Support Service (eMASS).
CMMC Level 3:
Level 3 mainly applies to the largest DoD contractors, who manage the DoD’s most sensitive contracts. In addition to being subject to CMMC Level 2 final assessments, Level 3 organizations are subject to 24 NIST Special Publication (SP) 800-172 requirements that are assessed by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). Similar to Level 2, Level 3 companies’ results need to be submitted into eMASS.
In all cases, CMMC certification will ultimately be required as a condition of DoD’s awarded contracts.
Another important consideration for a CMMC assessment is the availability of assessment organizations. As of November 2024, there’s an imbalance between the number of assessment organizations and the number of companies who require assessments. Therefore, DoD contractors should be extremely proactive in booking a CMMC assessment, to ensure they have their assessments performed in a timely manner.
Three Levels for CMMC Compliance
A CMMC assessment will be based on an organization’s level. A summary of the three CMMC compliance levels is as follows.
Level 1
Level 1 applies to organizations that access, use, or store only federal contract information (FCI), which is information that requires protection, but is not considered sensitive or critical to national security. At Level 1, a CMMC assessment can be performed through a self-assessment of how the organization addresses the 15 Level 1 security requirements.
Level 2
This is the minimum level for any organization that handles controlled unclassified information, or CUI. At Level 2, the vast majority of organizations will require third-party CMMC assessments. There are 110 security requirements in Level 2, aligned with NIST SP 800-171 Rev. 2, which are evaluated in the Level 2 CMMC assessment.
Level 3
Most organizations fall under Level 1 or Level 2. However, organizations that handle high-value assets and high-priority programs are required to implement and maintain 134 security practices and controls, from NIST Special Publication (SP) 800-171 Rev. 2 and NIST SP 800-172, to protect CUI from advanced persistent threats or APTs. At Level 3, organizations must have a CMMC assessment by DCMA DIBCAC every three years.
CMMC Assessment and Compliance Acronyms
Key Acronyms to understand when considering CMMC compliance and CMMC assessments are:
- C3PAO – Certified Third-Party Assessment Organization
- The Cyber AB – CMMC Accreditation Body
- CUI – Controlled Unclassified Information
- DFARS – Defense Federal Acquisition Regulation Supplement
- DIB – Defense Industrial Base
- FCI – Federal Contract Information
- NIST SP 800-171 Rev. 2 – Standard cybersecurity requirements for protecting CUI, which have been incorporated into CMMC
- NIST SP 800-172 – Enhanced security requirements for protecting CUI, which have been incorporated into CMMC
- OSC – Organization Seeking Certification
- POA&M – Plan of Actions and Milestones
- RPO – Registered Provider Organization
Who Needs CMMC Certification?
CMMC assessments are required for any organization in the defense industrial base or DIB, which includes thousands of organizations that perform work for the U.S. DoD. CMMC assessments include all DoD contractors and subcontractors. The participants involved in a CMMC assessment depend on the type and nature of information that flows from the prime contractor.
If an organization does not possess, store, or transmit CUI, but does possess FCI, it is required to meet FAR clause 52.204-21. This means that the organization needs to be certified at a minimum of CMMC Level 1.
Organizations are conceivably allowed to achieve different CMMC levels for parts of their network based on where CUI or FCI are handled and stored. However, industry best practices suggest that CMMC compliance levels be the same across an organization’s network. This allows disparate groups within the ecosystem to communicate and share information more easily.
The CMMC certification process varies depending on the desired level. Generally, an organization can spend 12-18 months preparing for and going through the CMMC assessment process, even when they have the requisite skill-sets in place.
| According to the DoD: “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.” |
What Is CMMC Compliance?
CMMC compliance and related CMMC assessment requirements align with the U.S. Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) document. The CMMC is a security framework mandated for all of the thousands of organizations that work with the DoD. CMMC compliance requirements vary according to the three levels of security maturity. Depending on the work they do and the information they manage, organizations fall into three categories with regard to CMMC compliance and their related CMMC assessments.
| The need for CMMC, explained by Katie Arrington, Chief Information Security Officer (CISO) for the Assistant Secretary for Defense Acquisition in this document: “The U.S. is losing $600 billion a year to our adversaries in exfiltration, data theft and R&D loss. If we were able to institute good cyber hygiene and we were able to reduce, let’s just say email phishing schemes by 10%, think of the amount of money that we could save to truly reinvest back into our partners in the industrial base that we need to stay on the competitive edge. And the only way that we saw fit to do this was to create this CMMC so we can ensure that we are doing everything we can do to buy down the risk of our adversaries stealing our hard work.” |
CMMC Compliance Timelines
The DoD initially released CMMC in January 2020. According to the original plan, an organization would have to be prepared for a CMMC assessment by 2025, a date that has actually remained the same since CMMC was proposed.
CMMC formally became a Final Rule in October 2024. You can find additional CMMC compliance deadline details in Egnyte’s companion guide here.
CMMC Assessment Preparation Tips
For DoD contractors who have been working on meeting requirements for a CMMC assessment, there is often confusion about the best way to get started. Whether it is a CMMC assessment by a Certified Third-Party Assessor Organization (C3PAO) or a DIBCAC-led CMMC assessment, the following tips will go a long way to make the preparation process easier.
Establish an understanding of the organization’s current state of security
Pay particular attention to how closely the organization is following all of the NIST SP 800-171 Rev. 2 requirements. For a Level 3 CMMC assessment, also review the applicable NIST SP 800-172 requirements.
Perform a gap analysis based on desired CMMC level
Experienced small businesses that do not work with CUI may need to do very little for their self-managed CMMC assessments. However, larger entities may need to implement a long list of additional security requirements to pass their CMMC assessments. Carefully review the CMMC documentation and maintain a detailed list of control requirements for the desired CMMC level to determine what else is needed to facilitate compliance with those requirements, so that your assessment will be successful.
Establish a security roadmap
Based upon internal security assessments, create a plan for how to implement the detailed requirements to be ready for your CMMC assessment. If a CMMC assessment is already scheduled or planned for, work backward and include extra time for inevitable speed-bumps that could arise. Since there is often a long lead time to get a CMMC assessment scheduled due to a limited number of authorized assessors, create a CMMC roadmap to avoid delays that could impact certification.
Stay connected with the CMMC Accreditation Body (The Cyber AB)The CMMC Accreditation Body is the official accreditation body of the CMMC ecosystem—from assessors to trainers. It provides information about the CMMC assessment process, as well as access to members of the ecosystem. You can also view the Cyber AB’s Town Hall Meetings here.
Preparation Makes a CMMC Assessment Easier and Improves Overall Security
Although the specific directives set forth in CMMC 2.0 were only finalized in October 2024, they are rooted in proven cybersecurity frameworks. Many of the areas focused on in a CMMC assessment are enhancements to frameworks that are already used by the DoD to manage risk in the DIB supply chain. Amongst the frameworks that serve as the foundation of CMMC and its required assessments are NIST SP 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
Following a CMMC assessment, organizations receive an evaluation from their relevant assessment organization, focused on how it measures up to all of CMMC’s requirements. This detailed report will cover findings across all of the assessed controls—according to the level at which the organization is being assessed.
The CMMC assessment determines if an organization has achieved the recommended cybersecurity capabilities that are required to win and maintain contracts with the DoD. In some cases, those reports uncover deficiencies in control implementations, such as something that could result in the loss of CUI. In those cases, the organization will have to remediate the issues to achieve positive results from its CMMC assessment. The scale of potential failure could range from an isolated occurrence to systemic issues across the organization that need to be addressed.
For organizations that have done or want to do business with the DoD, passing a CMMC assessment is mandatory, but it has significant benefits. A CMMC assessment is a forcing function for assessing and implementing risk management and security solutions. Successful completion of a CMMC assessment results in the continued ability to do business with the DoD and provides confidence in the organization’s overall risk and security posture.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 5th November, 2024
