What contractors should start to consider with the DoD’s CMMC compliance standards

Q1 2021 has been a tumultuous period in our era of cyber espionage. The Center For Strategic & International Studies (CSIS), which has been tracking “significant cyber incidents” since 2006, lists 30 major attacks from January to March 2021. Over this same period in 2020, the CSIS noted “just” 21 incidents.


What’s behind this almost 30% increase in the number of cyber attacks? COVID-19 has certainly been one factor, with cyber espionage surrounding vaccine information making headlines across the globe. As vaccine diplomacy takes off, the pace of government-sponsored malfeasance has risen as well.

But while vaccine information is one target of espionage, it represents merely a part of the ever-expanding picture of global cyber defense. At a time when fighter jets are at greater risk of being taken down by a cyber attack than a ballistic missile, governments are investing more than ever in their cyber defense strategy, with new, more rigorous compliance standards emerging across the globe.

The US Department of Defense (DoD) is no exception. Its Cybersecurity Maturity Model Certification (CMMC), first unveiled in November 2020, standardizes cybersecurity best practices for the hundreds of thousands of vendors and contractors working with the DoD.

The good news is that vendors have until 2025 to meet these unified standards. Yet the companies that understand and implement CMMC requirements sooner rather than later, will not just solidify their relationship with the DoD, but they’ll also set themselves up for greater cybersecurity protection throughout our new era of technological defense.

CMMC compliance expectations

The best way to understand the CMMC, at a basic level, is to grapple with what it augments and why. While the CMMC doesn’t completely replace the National Institute of Standards and Technology (NIST) SP 800-171, it does include and build on these standards for a clear purpose.

As noted by one DoD official, “only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the [NIST].” The prohibitive costs and complex requirements of NIST SP 800-171 have left DoD vendors and contractors unable to meet its many demands.

Enter the CMMC. With this new regulation, the DoD establishes five levels of cybersecurity preparedness, ranging from level one (basic cybersecurity preparedness) to level five (advanced/progressive capabilities). The number of controls required rises at each level, with level three corresponding to the 110 controls of NIST SP 800-171.

Achieving compliance at every level

The first step for companies seeking CMMC compliance is to recognize which level they want to achieve, then decide the best steps needed to comply with the corresponding standards. Levels one and two grant contractors access to Federal Contract Information (FCI): information not provided to the public, but necessary for contractors to develop a product or service.

At level one, the cybersecurity practices required to achieve compliance merely need to be “performed” — that is, the cybersecurity standards are in place, even if they aren’t documented, which would move the company to level two. Regardless, companies and the Managed Services Providers (MSPs) to whom they outsource their IT efforts would do well to document everything they can to ensure standards are being met.

Level three’s overlap with the NIST SP 800-171 standards allows companies access to Controlled Unclassified Information (CUI), information that “requires safeguarding or dissemination controls,” but is not classified information. Only a small number of companies will go beyond level three to achieve the advanced standards of level four and level five.

What to look for if partnering with an MSP to achieve compliance

Unlike with the NIST standards, there are no self-certifications for the CMMC. To achieve compliance by the 2025 deadline, companies must meet the standards set by the new assessment guides published by the DoD.

These guides are worth a read, even though a self-assessment is not enough to fall in line with the new standards. The level three guide is 430 pages long — quite a bit of reading material for even technically-minded contractors and business leaders.

Additionally, this document only lists what companies need to accomplish, without information on how to go about achieving and maintaining compliance. This is where MSPs certified by the DoD’s CMMC Accreditation Body can make the difference.

However, to assess if an MSP has the competency to handle your specific CMMC compliance requirements, you should ask for detailed information on the following:

  • Their processes and templates used when undertaking a gap analysis, to identify shortcomings in a company’s IT infrastructure
  • Examples of System Security Plans (SSP) they have built for other clients with similar needs
  • Examples of Plan of Action and Milestones (POA&M) that provide clear, actionable guidance for clients

These plans will be correlated to a given CMMC level, whether a company aims for basic cybersecurity hygiene, optimized security processes, or any level in between.

With the stakes being so high for companies seeking compliance, it’s vital that contractors take the time to vet MSPs and ensure they pick one that has the capabilities to deliver on time and on budget. Any delay in passing the certification audit can undermine their bid for government contracts, affecting the bottom line of companies who count on DoD business for a portion of their revenue.

No doubt, plenty of contractors will be willing and able to identify cybersecurity gaps and independently build their infrastructure in accordance with CMMC guidelines. This hands-on process works best for companies with ample IT resources and a background in cybersecurity compliance. However, for firms without this in house knowledge, a CMMC-accredited MSP can provide clear, actionable planning and resources to not only successfully bid on DoD contracts, but to ensure robust cybersecurity standards for 2025 and beyond.

Don't miss