Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense developed the Cybersecurity Maturity Model Certification (CMMC) program in 2020. A year later, they rolled out CMMC 2.0 with the intention of enhancing the protection of sensitive information, especially Controlled Unclassified Information (CUI), within the Defense Industrial Base (DIB).

Is your organization CMMC-compliant? Do you understand the requirements you must meet to receive the CMMC certification?

We manage all areas of CMMC certification as your outsourced cybersecurity department so you don’t have to.

What’s Included in our CMMC Security Program

Our CMMC Security Program includes everything you need to meet all levels of CMMC criteria items, but also NIST-800-171 controls. This includes the following:

What’s Our Track Record

How Much Does Our CMMC Security Program Cost

Explained below are some of the most critical aspects of the CMMC and CMMC requirements that every organization that deals with CUI should be aware of.

CMMC 1.0 vs. 2.0

How do the CMMC 1.0 and 2.0 differ? Some of the key differences between the two versions of the certification are explained below:

CMMC Certification Levels

The CMMC 1.0 model had five certification levels. However, the CMMC 2.0 model has just three. They are as follows:

Level 1 (Foundational)

This level is necessary for DoD contractors and subcontractors that handle CUI and FCI (Federal Contact Information).

Level 3 (Expert)

This level requires the implementation of advanced practices, including system hardening and data recovery. It is designed to protect CUI's confidentiality, integrity, and availability from advanced persistent threats.

CMMC 2.0 Level 2 (Advanced)

This level requires organizations to implement more advanced cybersecurity practices, including access control, media protection, and incident response. It aligns with the National Institute of Standards & Technology SP 800-171 (NIST 800-171) and requires triennial third-party assessments by a CMMC Third-Party Assessor Organization (C3PAO).

Domain Structure

The number of security domains included in the CMMC 2.0 model is much higher than the CMMC 1.0 model.

These additional domains are more closely related to day-to-day operations. They include various topics, including the following:

Anomaly Detection

Supply Chain Risk Management

Incident Response

System Security Planning

These new domains provide a more holistic view of contractors’ operations and offer more assurance of their asset security.

Third-Party Assessors

The CMMC 2.0 model requires the use of C3PAO for both Level 2 and Level 3. C3PAOs are responsible for assessing and certifying companies in the DIB supply chain and ensuring they have met the standard CMMC cybersecurity requirements. They also conduct evaluations and issue certificates of adherence.

CMMC Domains

In addition to the three levels of CMMC 2.0, 17 Core Security Domains represent the specific security practices to which organizations must conform when working with CUI.

The 17 domains are listed below:

Access Control (AC)

Restrict access to CUI

Audit and Accountability (AA)

Keep track of and report who accesses CUI

Configuration Management (CM)

Maintain the integrity of information systems

Incident Response (IR)

Detect and respond promptly to security incidents

Media Protection (MP)

Safeguard CUI that is stored on removable media

Physical Protection (PE)

Ensure proper physical security of equipment and facilities

Risk Management (RM)

Identify and address all vulnerabilities to mitigate risk

Situational Awareness (SA)

Recognize and ensure understanding of changes and anomalies

System and Information Integrity (SI)

System and Information Integrity (SI): Protect information and information systems from threats

Asset Management (AM)

Understand your CUI

Awareness and Training (AT)

Develop and reinforce proper CUI-handling protocols

Identification and Authentication (IA)

Ensure only authorized personnel can access CUI

Maintenance (MA)

Ensure information systems run optimally

Personnel Security (PS)

Vet and protect the employees who handle CUI

Recovery (RE):

Respond to and rebound from security events

Security Assessment (CA)

Evaluate security requirements and make a plan to meet the requirements

System and Communication Protection (SC)

Implement controls to identify and repel potential threats

To Whom Does the CMMC Apply?

Any individual in the Department of Defense supply chain. The list of those who must comply with the CMMC 2.0 guidelines includes contractors who exclusively engage with the Department of Defense, as well as any and all subcontractors.

The following are some examples of individuals that must be compliant:

Department of Defense prime contractors

Department of Defense subcontractors

Suppliers at all tiers in the Defense Industrial Base (DIB)

Department of Defense small businesses suppliers

Commercial suppliers that process, handle, or store CUI

Foreign suppliers

Team members of Department of Defense contractors that handle CUI (e.g., IT-managed service providers)

The specific level of CMMC compliance contractors and subcontractors must meet is based on the type of CUI and FCI that they handle and exchange.

Advantages of Becoming CMMC 2.0 Compliant Now

Organizations have until October 2025 to become compliant with the newest version of the CMMC. That might seem like a long way away, but time moves more quickly than most of us think. The sooner you get started, the better off you and your team will be.

The following are some specific advantages that come with beginning your compliance journey now:

Competitive Advantage

Soon, the DoD will require contractors and subcontractors to be CMMC-certified for new contracts. If you’ve already taken steps to become CMMC-certified, you’ll stand out from your competitors and be more likely to be selected.

Improved Reputation

Achieving compliance now proves you take CMMC seriously and are unlikely to cause any compliance problems for your affiliates.

Improved Cybersecurity and Fewer Risks:

CMMC offers a detailed outline for how you can secure information systems and data. Implementing these controls allows you to strengthen your cybersecurity strategy and reduce the risks your organization faces.

Reduced Liability:

CMMC can reduce your organization’s liability in the event of a data breach or any other cybersecurity incident. If you’re compliant, you can prove that you did everything correctly and are not to blame.

CMMC Certification Requirements: How to Achieve CMMC Compliance

You understand the benefits of being CMMC-compliant, but do you know how to get your organization certified? Here are the essential steps to start taking today: 

Step 1. Determine Your Required CMMC Level

The first step is determining your CMMC level (1, 2, or 3). Here’s a quick breakdown of who falls under which category:

Level 1

Department of Defense contractors and subcontractors that handle FCI, or “Information not intended for public release [that] is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”

Level 2

Department of Defense contractors and subcontractors that handle the same type of CUI must meet level 2 compliance. If only select information flows down to the subcontractor, a lower CMMC level may apply.

Level 3

Level 3 applies to Department of Defense contractors and subcontractors that handle CUI for DoD programs with the highest priority.

Step 2. Perform a Self-Assessment

The next step is to conduct a self-assessment to get a better idea of how your organization is doing and where you need to improve when it comes to cybersecurity. Your assessment should include a thorough review of your cybersecurity maturity, including policies and procedures, access control, network security, and incident response strategies and capabilities.

Step 3. Utilize Additional Cybersecurity Frameworks

The CMMC was developed from existing frameworks, and because of this, there is significant overlap. Some frameworks and certifications that can help you achieve CMMC certification include the following:

  • National Institute of Standards and Technology Cybersecurity Framework
  • Federal Risk and Authorization Management Program
  • International Organization for Standardization 27000 standards
  • NIST Special Publication 800-171

By ensuring compliance with these frameworks and certifications, you can improve your overall cybersecurity strategy and ensure compliance with CMMC requirements.

Step 4. Create a Plan of Action and Establish Milestones

If your self-assessment revealed weaknesses in specific areas, create a plan of action to focus on those and ensure they’re up to par. Establish distinct milestones so you can measure progress and ensure you haven’t missed any critical steps.

Step 5. Develop a System Security Plan

CMMC-compliant organizations must create a system security plan (SSP).

This plan should include details about each system in the IT environment that stores or transmits controlled unclassified information (CUI). For example, it should outline the flow of information between systems, along with company regulations, network diagrams, administrative duties, and staff security requirements.

Remember that the SSP is a living document. You should update it whenever you make significant changes to your security profile/procedures.

Step 6. Select a Third-Party Assessor Organization

A CMMC Third Party Assessor Organization (C3PAO) has been authorized to conduct CMMC assessments. They will assess your organization’s compliance with the CMMC guidelines.

When looking for an authorized C3PAO, make sure they have experience in your industry and are appropriately accredited through the Cyber AB (the official CMMC accreditation body). You should also ask for references and seek feedback from previous clients. 

Once you’ve chosen a C3PAO, you will work closely with them. They will provide guidance and help you understand the essential steps you must take to achieve and maintain compliance.

Ensure CMMC Compliance with BlueSteel

CMMC compliance can give your organization a competitive advantage, enhance your cybersecurity strategy, and reduce your liability.

If you haven’t updated your cybersecurity protocols to be compliant with CMMC 2.0, now is the perfect time to get started. Follow the steps outlined above, and if you need more guidance or support, our team at Bluesteel Cybersecurity is ready to assist.

Contact us today for more information on CMMC certification training and compliance.

Cybersecurity healthcare facilities

Ensure HIPAA and HITECH Compliance with Bluesteel

For any organization that deals with electronic protected health information, compliance with HIPAA and the HITECH Act is critical. Making sure you are compliant, especially with the latest updates, can be tricky, though.
Follow the guidelines shared here to begin ensuring compliance. If you need more assistance, though, reach out to our team at Bluesteel Cybersecurity.
We offer compliance preparation services to help you feel confident that you’ve checked every box and done everything you can to protect your business and your customers/clients.

Contact information

Questions About CMMC Level 1? Send Them Here:

Recent posts