Send a message
Careers
Would you like to join our growing team?
careers@email.com
Consulting
We’ll figure out the best option for you.
connect@email.com
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
close icon
CMMC
Compliance
Cybersecurity
Data Management
Infrastructure Design

CMMC Overview

Changes to CMMC Rules are coming. Are you ready?

CMMC 2.0 Preparedness Guide

Overview

The Cybersecurity Maturity Model Certification (CMMC) is a new program created by the Department of Defense (DoD) which will require a cybersecurity certification for final of award of most DoD contracts. CMMC is a data centric program and will be required for companies handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in conjunction with a DoD Contract. To receive a certification, companies will have to be assessed by a “CMMC 3rd Party Assessor Organization” (C3PAO) against a security framework known as NIST SP 800-171. The program is being created and implemented through two separate federal regulations which have undergone the government rule making process for the past several years.

The 32 CFR rule–which creates CMMC as an official program–was published as final rule 32 CFR 170 on October 15th, 2024 with an effective date of December 16th, 2024. This means that on December 16th, CMMC will be an official program and companies can initiate certification.

The second rule is the 48 CFR rule, which will modify DoD contracting clauses to require companies to have a certification before a contract can be awarded to them. 48 CFR is currently published as a 'proposed rule' and is under review, with an expected finalization in Spring ‘25. Once finalized, there will be a 60 day review period before the effective date. At this point Phase 1 of the DoD’s phased implementation (see diagram below) will begin and CMMC will start appearing in contracts, most likely in the Summer of ‘25.

CMMC Timeline

This timeline is adapted from the DoD CIO CMMC timeline, as published December 2024.

CMMC Certification Levels

CMMC has multiple levels with different requirements depending on the type of data you receive in your contracts:

  • Level 1: Federal Contract Information
  • Level 2: Controlled Unclassified Information
  • Level 3: Controlled Unclassified Information for specific highly sensitive programs

More information about these certification levels and details about their requirements can be found on the DoD CIO About CMMC page.

Important Considerations

CMMC compliance can be a long and labor intensive process for organizations, sometimes as long as 18 months before an organization is assessment ready.

The CMMC ecosystem assessment capacity may be a bottle neck. Currently there are only ~60 authorized C3PAOs for the several hundred thousand companies who will eventually need a certification. Seeking out a certified entity early may allow you to beat this bottleneck and ensure your readiness is not compromised.

CMMC is not static and requires ongoing compliance. While an assessment may be a point in time look at your information security program, CMMC requires triennial assessments and yearly attestations of compliance from a senior member of your organization.

The government is starting to take cybersecurity compliance more seriously. There have already been several high profile cases of False Claims Acts suits being brought against companies by the Department of Justice for noncompliance with NIST SP 800-171.

CMMC Requirements

The core requirements for CMMC are centered around a security framework written by the National Institute of Standards and Technology (NIST) known as Special Publication 800-171 (NIST SP 800-171). NIST SP 800-171 is a set of 110 security controls tailored to the protection of controlled unclassified information in non-federal information systems. These controls are broken down into 14 families:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • System & Communication Protection

CMMC Level 1 requires companies to meet a subset of 17 controls, Level 2 requires all 110 controls, and Level 3 adds on an additional set of controls form NIST SP 800-172.

Some security controls are technical in nature:

3.13.6: Deny network communications traffic by default and allow network communications traffic by exception (i.e, deny all, permit by exception)

Some security controls are administrative:

3.2.2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities

NIST SP 800-171 is intentionally non-prescriptive so that it can be adopted by any organization regardless of size, budget, or the technology in use. The DoD is giving high level requirements and leaving it up to organizations to decide how to implement them in the way that works best for them.

More program information for the CMMC process and model can be found in the following documents supplied by DoD:

Cybersecurity Maturity Model Certification (CMMC) Model Overview [Sept. 2024]

Cybersecurity Maturity Model Certification Overview [Oct. 2024]

CMMC
Compliance
Cybersecurity
Data Management
Infrastructure Design
Category
Support and Best Practices
Virtualization
Emerging Technology
Hardware/Software Solutions
Infrastructure
IT Management
Networks
Security
Recent
Dec 6, 2024
By
Stratus Services
CMMC Overview
Nov 21, 2024
By
Stratus Services
The Stratus Holiday Gift List
Nov 20, 2024
By
Stratus Services
PCI Compliance Updates 2025
Nov 9, 2024
By
Why a Cloud-Only Approach to Data Storage Requires More Security
Tags
Information Technology
Video
Cybersecurity
Cloud Computing
Virtualization
Data Management
CMMC
A/V
Awareness Training
Backups
Infrastructure Design
Compliance
AI and Machine Learning
Desktop Support