The Cybersecurity Maturity Model Certification (CMMC) is a new government-led cybersecurity program designed to strengthen the security of the Department of Defense (DoD) and the Defense Industrial Base (DIB).

‍

The CMMC program encompasses a wide range of technical, operational, and governance-related cybersecurity practices, including data protection protocols, access control measures, and ongoing personnel training. Meeting these practices is mandatory for organizations working with the DoD—or planning to—that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 

‍

To make the entire process easier, we'll cover the key CMMC compliance requirements for each certification level. We’ll also provide you with tips for preparation to ensure you're on track for certification. 

‍

CMMC compliance requirements: A detailed breakdown

‍

The CMMC compliance practices your organization needs to meet depend on which certification level it wants to achieve. This level is determined by the type of data your organization handles and its role in the DoD supply chain.

‍

With these criteria in mind, the CMMC program is split into three levels:

‍

1. Foundational (Level 1): Focuses on basic cybersecurity hygiene and protection of FCI
2. Advanced (Level 2): Requires stronger security practices to ensure the overall protection of CUI
3. Expert (Level 3): Involves granular and high-level security practices for advanced protection of CUI

‍

‍

Each level has specific requirements, with the complexity increasing as you move up the scale. In the following sections, we’ll look into the detailed requirements for every level.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC Level 1: Foundational

The CMMC Level 1 is the entry-level certification designed for organizations handling FCI. The main focus of Level 1 certification is basic cybersecurity hygiene.

Achieving Level 1 certification requires your organization to do a self-assessment, using the 15 practices outlined in FAR clause 52.204-21 as the measurement criteria. Some of the key ones your organization will have to implement to pass the assessment include:

‍

• Limiting system access to authorized users, processes, and devices
• Verifying and controlling connections to external information systems
• Identifying and authenticating the identities of users, processes, and devices 

‍

Your company must comply with all practices to get Level 1 certification. Once you complete the assessment, you need to log the results into the Supplier Performance Risk System (SPRS) and submit the initial affirmation. 

‍

Keep in mind that achieving CMMC certification is not a one-and-done deal. To remain compliant, you'll need to repeat the assessment and affirmation process annually.

CMMC Level 2: Advanced

CMMC Level 2 certification is required for organizations that handle CUI. Due to the increased sensitivity of this information, organizations seeking Level 2 certification will have to implement more stringent security measures than those required for Level 1.

‍

Depending on the sensitivity of the data your organization handles, there are two ways you can conduct the Level 2 assessment:

‍

1. Self-assessment: Typically required for organizations handling less sensitive CUI
2. C3PAO (certified third-party assessor) assessment: Generally required for organizations handling more sensitive CUI

‍

Independent of the assessment method, the measurement criteria for achieving Level 2 certification are the 110 NIST SP 800-171 R2 requirements.

‍

Achieving Level 2 certification requires implementing a broad set of security practices across multiple areas, which can be time-consuming. However, you don’t have to meet all of the criteria immediately. 

‍

If your organization doesn’t meet 100 percent of the required practices for Level 2 certification, you can still receive a Conditional CMMC certificate. To be eligible, your organization needs to fulfill at least 80 percent (88/110) of the criteria and submit a Plan of Action & Milestones (POA&M), which details how you’ll remediate the remaining gaps within 180 days.

‍

Depending on the assessment method, you’ll need to submit the results to one of two platforms:

‍

• Self-assessment results should be submitted to the SPRS
• C3PAO assessment results should be submitted to the CMMC Enterprise Mission Assurance Support Service platform (eMASS) by the C3PAO—organizations cannot enter results themselves

‍

The Level 2 certificate is valid for three years. To maintain certification, your organization must complete an annual affirmation to verify continued compliance.

‍

CMMC Level 3: Expert

Level 3 is the highest level of CMMC compliance, designed for organizations that handle highly sensitive CUI. It requires compliance with the 110 NIST SP 800-171 R2 requirements that Level 2 organizations must follow and an additional 24 advanced requirements from NIST SP 800-172 (outlined in 32 CFR 170.14).

‍

Some of the additional practices include:

‍

• Creating cybersecurity operations centers (CSOCs) and incident response teams (IRTs)
• Automating the detection of unauthorized components
• Providing regular awareness training for all company members
• Conducting cyber-threat hunting activities 
• Performing penetration testing annually or after each update

‍

The assessment process for Level 3 certification is also more rigorous than for Level 2. Organizations pursuing Level 3 CMMC certification must undergo a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

‍

The additional practices for Level 3 build on those from Level 2, but they are more advanced. For Level 3, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) should submit your assessment results to the CMMC eMASS platform, and the certificate is valid for three years, with annual affirmations.

‍

As with Level 2, you can still get a Level 3 conditional certificate as long as at least 80 percent of your practices meet the criteria. In this case, you’ll have to submit a POA&M and address all remaining gaps within the next 180 days. After the remediation period, your organization will undergo a POA&M closeout assessment to verify full compliance.

‍

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

‍

Meeting CMMC certification requirements: Potential challenges

The DoD requires all contractors and subcontractors, regardless of size, to meet the CMMC practices to continue working with them or enter a new contract. Still, these robust practices can present significant challenges for small and medium-sized enterprises, including:

‍

• Resource and budget limitations: Preparing for CMMC can be resource-intensive if your company doesn’t meet all the hardware and software criteria. Smaller teams may also face difficulty, as some practices—like IR.L3-3.6.1e—require a dedicated security operations center running 24/7.
• Interpreting complex practices: Some practices might include particularly complex procedures and implementation workflows. These can prove challenging for your teams without proper guidance and in-house expertise.
• Limited visibility into third-party cybersecurity practices: CMMC emphasizes the importance of security across all parts of the supply chain. Smaller organizations might lack the resources to track their partners' cybersecurity practices, which can leave them vulnerable to gaps in security.
• Transitioning to newer CMMC versions: When an update to the CMMC comes out, organizations need to invest resources into understanding the changes and ensuring their current practices align with new criteria. This added workload can overwhelm small compliance teams.

‍

While these challenges can be significant, your organization can better prepare for CMMC certification by taking a structured, organization-wide approach to security.

‍

“

Organizations seeking CMMC compliance need to foster a culture of security for their organizations. This includes setting the tone at the top with leadership buy-in and governance, alignment of the specific requirements with existing policy and operations, and providing ongoing security training across all personnel.”

‍

Faisal Khan

GRC Solutions Expert, Vanta

|

LinkedIn

‍

5 actionable tips for meeting the CMMC requirements

Here are five practical steps to help you get your organization CMMC-ready:

‍

1. Understand the certification level you need: Begin by evaluating the type of information your organization handles (FCI or CUI). Then, conduct an internal audit to determine which systems, people, and locations are in scope for CMMC audits. This will help you focus resources more efficiently and ensure you don’t overlook critical areas.
2. Familiarize yourself with the applicable practices: Regardless of whether you operate as a contractor or subcontractor, if your organization handles CUI and/or FCI for the DoD, you must comply with CMMC. Reviewing relevant documentation and familiarizing yourself with the specific practices required for your certification level will help you achieve compliance efficiently.
3. Streamline assessment workflows: To streamline your CMMC assessment process, integrate key security measures like multi-factor authentication, role-based access control, and least privileged access into your team’s workflows. Establishing structured steps for the process, along with defining roles and responsibilities, will help keep your team aligned during assessments.
4. Document all security documentation for audit readiness: Leverage thorough monitoring and logging to keep comprehensive documentation of implemented CMMC practices. This will allow you to quickly provide auditors with the evidence they need and make the entire process smoother.
5. Leverage a dedicated compliance solution: An automated compliance solution can help reduce the pressure on your team and streamline CMMC certification preparation by centralizing compliance processes like evidence collection.

‍

Vanta: Your CMMC compliance partner

Vanta is a robust trust management platform that streamlines CMMC compliance. With its dedicated CMMC compliance solution, Vanta helps minimize confusion and manual work by automating up to 50% of workflows.

‍

Vanta's dedicated CMMC product includes various resources and features that help optimize the compliance process, including:

‍

• Out-of-the-box support for all certification levels
• Automated evidence collection supported by 375+ integrations
• Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
• Centralized gap assessments and continuous tracking of CMMC practices
• Prescriptive guidance across controls, policies, and documents

‍

By leveraging these, you can significantly reduce your team's manual workload, allowing them to focus on other priorities. Vanta also provides expert support to guide you through every step of the certification process, ensuring you're always on track.

‍

Vanta is partnered with various Cyber AB-accredited C3PAOs that can guide you through the assessment process for Level 2 and 3 certification. Check Vanta’s partner network to find the C3PAO that your company can work with to streamline the certification process.

‍

Schedule a custom demo to see how Vanta streamlines CMMC compliance.

‍

{{cta_simple33="/cta-blocks"}} | CMMC product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

‍