Home > Guide to CMMC Security and Compliance Requirements

CMMC Security and Compliance Requirements

CMMC 2.0 (Cybersecurity Maturity Model Certification) requirements are mandated for organizations in the defense industrial base (DIB) to ensure that federal contract information (FCI) and controlled unclassified information (CUI) are protected.

The stated objectives for CMMC (and similar defense-related requirements) include:

Contributing to a collaborative culture of cybersecurity and cyber resilience.
Protecting privileged defense-related data across the supply chain.
Dynamically enhancing DIB cybersecurity to meet evolving cyber-threats.
Ensuring contractors’ and subcontractors’ accountability, while minimizing barriers to compliance, by specifying the U.S. Department of Defense’s (DoD’s) requirements.
Maintaining public trust of the DIB through high professional and ethical standards.
Safeguarding sensitive information, which can have significant value to U.S. adversaries.

The DoD considers CMMC requirements a critical part of its defense against cyber-threats that continue to grow in volume and sophistication.

Originally launched in 2020, CMMC version 1.0 was updated to CMMC 2.0 in November 2021. CMMC 2.0’s requirements were further clarified by a Final Rule from the DoD in October 2024.

As CMMC has evolved over the years, drivers for improvement have included the following:

Reducing organizations’ potential costs to meet CMMC requirements.
Increasing overall trust in the CMMC assessment ecosystem.
Continuing to align CMMC requirements with commonly accepted cybersecurity standards.

Let’s jump in and learn:

What are CMMC Requirements?
CMMC Compliance Requirements and Regulations
CMMC Security Requirements
CMMC Requirements Embody Security Best Practices

What are CMMC Requirements?

CMMC requirements must be adhered to by DIB contractors and subcontractors in the DoD supply chain. As a result, CMMC directly impacts thousands of organizations that work with the DoD. Assessment requirements by CMMC level can be recapped as follows:

At CMMC compliance Level 1, self-assessments are deemed an acceptable form of verification that organizations are adhering to the requirements.
At CMMC Level 2 , a Certified Third-Party Assessment Organization (C3PAO) is generally required to conduct an assessment and determine if the organization qualifies for certification.
At CMMC Level 3, the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform an assessment of CMMC Level 3 security requirements in accordance with NIST SP 800-172 for information systems within the Level 3 CMMC Assessment Scope. . In execution of the CMMC Level 3 Certification Assessment, DCMA DIBCAC may perform checks of CMMC Level 2 security requirements in accordance with CMMC Level 3 scoping. If DCMA DIBCAC identifies that a Level 2 security requirement is not met, the Level 3 assessment process may be placed on hold or terminated.

CMMC Compliance Requirements and Regulations

While CMMC’s requirements are closely aligned with several National Institute of Standards and Technology (NIST) special publications, NIST and CMMC requirements are not completely identical. Rather, CMMC’s requirements are inspired by NIST’s standards and take inspiration from other frameworks that are detailed below.

Following is a summary of the cybersecurity frameworks that have influenced CMMC’s requirements:

At a Glance:

Cybersecurity Frameworks That Have Influenced CMMC Requirements

CMMC Level 1
FAR 52.204.21: Basic Safeguarding of Covered Contractor Information Systems

CMMC Level 2
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems

NIST SP 800-171 Rev. 2

CMMC Level 3
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems

NIST SP 800-171 Rev. 2

NIST SP 800-172

NIST SP 800-53

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements

ISO/IEC 27002: Standard that’s focused on Information Security Controls

CERT Resilience Management Model (CERT RMM v1.2)

CIS Critical Security Controls (CIS CSC v7.1)

Here’s a brief overview of each of the standards, in the order that they’re presented in the chart above. You can click on the links for each of the standards in the chart above, if you’d like additional details.

FAR 52.204-21:
Specifies 15 security requirements that DIB suppliers and contractors need to implement, in order to safeguard information that’s classified as FCI.
NIST SP 800-171 Rev. 2:
Provides recommended requirements for protecting the confidentiality of CUI.
NIST SP 800-172:
Enhances security requirements for protecting the confidentiality of CUI when: (1) the information is resident in non-federal systems and organizations; (2) the non-federal organization is not collecting or maintaining information on behalf of a federal agency, or using or operating a system on behalf of an agency; and (3) there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category that’s listed in the CUI Registry.
NIST SP 800-53:
Defines the minimum security controls for all federal information systems, except for those related to national security.
DFARS 252.204-7012:
Requires DIB suppliers and contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.
DFARS 252.204-7019:
Requires DIB suppliers and contractors to correctly report and maintain their self-assessments concerning compliance with the NIST SP 800-171 cybersecurity framework under DFARS 252.204-7012.
DFARS 252.204-7020:
Informs DIB suppliers and contractors that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information in the event the DoD deems it necessary to perform a Medium or High-level Assessment.
DFARS 252.204-7021:
Details the CMMC framework, which measures a contractor’s cybersecurity maturity, including implementation of cybersecurity practices and institutionalization of those processes.
ISO/IEC 27002:
Includes a collection of information security guidelines that are intended to help organizations implement, maintain, and improve information security management.
CERT RMM v1.2:
Provides DIB suppliers and contractors with the CERT Resilience Management Model’s (CERT-RMM) process areas, generic goals/ practices, glossary, and relevant acronyms.
CIS CSC v7.1:
Gives DIB suppliers and contractors a prioritized set of best practices to improve their cybersecurity posture.

CMMC Security Requirements

CMMC Level 1 includes 15 security requirements that are aligned with FAR.52.204-21..
CMMC Level 2 includes 110 requirements that are aligned with NIST SP 800-171 Rev. 2.
CMMC Level 3 encompasses the 110 CMMC Level 2 requirements that are referred to above, along with 24 additional requirements from NIST SP 800-172.

CMMC Requirements Embody Security Best Practices

The DoD considers CMMC requirements a critical part of its defense against cyberthreats that continue to grow in volume and sophistication. While organizations must invest significant time, money, and discipline to adhere to CMMC’s requirements, the result is better cyber-protection and improved supply chain security.

If you have questions about CMMC, Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.

Last Updated: 19th November, 2024