Businesses that contract with the US Department of Defense (DoD) deal with highly secure information that is an important matter of national security. If your operation works with the government, you may be wondering: who needs CMMC certification?
In short, any company that contracts with the DoD needs CMMC certification. Read on to learn more about CMMC certification and why it’s important for federal contractors.
Are you looking for IT consulting in Fort Worth? Contact us today!
What Is CMMC Certification?
CMMC stands for Cybersecurity Maturity Model Certification and consists of rules and regulations for contractors handling sensitive government information. The government adopted CMMC standards for federal contractors in 2019 in response to increased hacking attempts and cyber attacks.
The point of CMMC regulations is to safeguard federal contract information (FCI) and controlled unclassified information (CUI). FCI includes any basic, non-technical information for daily correspondence, such as:
- Contact information
- Process documentation
- Proposals
- Email communications
- Performance reports
- Organizational specifications
CUI, in contrast, includes more sensitive technical information and documentation that the government might provide or your firm might produce. CUI typically includes things like:
- Technical drawings
- Blueprints
- IP
- Health documentation
- Software source code
- Legal materials
- Personal data
More generally, CMMC is a set of best practices for cybersecurity and defense. The key to CMMC compliance is not just checking off a list of requirements but creating an effective cybersecurity model for FCI and CUI processing and holding.
Who Needs CMMC Certification?
If your business contracts with or is a vendor/supplier of the US DoD, you will require CMMC certification. Most federal contractors possess some level of sensitive information that needs to stay secure. Businesses that protect CUI must show that they properly handle secured documents and information.
CUI is defined broadly, so most contractors work with it. Businesses must identify what types of CUI they work with and who needs CMMC certification to comply with regulations. Failure to do so could result in loss of contracts and harsh legal retaliation.
CMMC Compliance Levels
Older CMMC standards included five levels of compliance. The current CMMC 2.0 standards reduce the number of compliance levels to three. Each level pertains to a specific type of sensitive information and has different standards and assessment procedures.
Level 1: foundational cybersecurity
All federal contractors that directly supply or work with the DoD must have Level 1 compliance certification. Level 1 compliance applies to contractors that deal solely with FCI and includes 17 areas of foundational cybersecurity. Level 1 assessments take place in-house once per year.
Level 2: advanced cybersecurity
CMMC Level 2 certification involves compliance procedures for handling CUI. CUI compliance involves 110 security protocols and aligns with all requirements in the National Institute of Standards and Technology (NIST) SP 800-171. Level 2 assessment includes both self and third-party assessments once per three years.
Level 3: expert cybersecurity
Level 3 is the highest compliance level and applies to handling highly sensitive and confidential information. Level 3 compliance involves over 110 distinct protocols and focuses on defending against persistent cybersecurity threats. Level 3 assessment includes a government audit once per three years.
Below is a table summarizing CMMC levels, controls, and assessment procedures.
| CMMC 2.0 Compliance Level | # of Controls | Assessment Requirements |
| Level 1 | 17 | Annual Self-Assessment |
| Level 2 | 110 | Triennial Self and Third-Party Assessment |
| Level 3 | Over 110 | Triennial Government-Led Assessment |
How Do I Get CMMC Certification?
Most experts recommend spending at least six months planning before producing DoD compliance documentation for contract bids. For level 1 certification, you must perform a self-assessment and meet the 17 control requirements.
For Level 2 and higher certification, you must schedule a meeting with a third-party agency that holds accreditation from the CMMC Accreditation Body. The CMMC-AB is the only organization that can authorize certified third-party assessment organizations (C3PAO) to provide CMMC certification.
If your chosen C3PAO identifies shortcomings in your cybersecurity structure, you will have 90 days to remedy the problem. All CMMC certifications are public knowledge, but information about issues and modifications is private.
How Much Does CMMC Certification Cost?
CMMC certification costs can vary depending on the type and size of your business. The typical contractor can expect to spend about $3,000 to $5,000 for Level 1 CMMC certification. Generally, the DoD will allow you to write off CMMC certification costs once you win a contract.
CMMC Certification FAQ
Below are some common questions about CMMC certification that you may have.
Does my business need CMMC certification?
You must determine if your business holds CUI to structure the proper cybersecurity measures. All companies that contract with the DoD and handle FCI or CUI must have some level of CMMC certification. If you are unsure if your business handles FCI or CUI, you can check the national CUI Registry.
Do I need CMMC 2.0 or 1.0 certification?
The government introduced CMMC 2.0 standards in November 2021. However, CMMC 2.0 certification will not be necessary for federal contract bids until they complete the rulemaking process, which can take up to two further years.
What about NIST SP 800-172 requirements?
Level 2 certification for the CMMC 2.0 model is equivalent to requirements in NIST SP 800-172. Level 3 certification includes a subset of NIST SP 800-172 protocols and additional requirements.
What happens if I violate CMMC requirements?
Failure to adhere to CMMC requirements could result in lost contracts, bans from future contracts, and further legal consequences. Avoiding CMMC non-compliance is a matter of cultivating cybersecurity best practices.
Secure Your IT Infrastructure Today!
CMMC compliance is necessary for all DoD contractors. Network Elites offers full-scale cybersecurity risk assessment and vulnerability testing in the greater Dallas area. Our team of experienced IT professionals can help determine who needs CMMC certification in your operation and evaluate your security systems for CMMC assessment.
If you have any questions about CMMC compliance or would like to learn about what SLAs are, contact Network Elites online or call us today at (214) 247-6962 to schedule a consultation!
