The Cybersecurity Maturity Model Certification (CMMC) is a mandatory security framework created by the U.S. Department of Defense (DoD) to reduce vulnerabilities within their supply chain. You can expect CMMC compliance to be a key prerequisite for organizations pursuing or actively participating in DoD contracts.
The program has a clearly defined scope and establishes three levels of cybersecurity maturity, depending on the type of information an organization processes, stores, and transmits. Understanding this scope and how the requirements apply to your organization is an important first step in your CMMC compliance journey. In this article, we’ll:
- Help you determine whether CMMC applies to you
- Discuss potential consequences of non-compliance
- Outline the steps to achieve certification
Who should comply with CMMC?
CMMC applies to all contractors and subcontractors in the DoD supply chain, including those working directly with the DoD, such as research labs and repair services, as well as those that support DoD operations indirectly, like cloud service providers and construction companies.
An organization’s location and industry do not affect its compliance requirements. If your organization handles DoD data or operates as a subcontractor, you must comply with CMMC to safeguard sensitive government data and maintain eligibility for future contracts.
Organizations that work with the DoD and need to comply with CMMC typically handle two types of highly sensitive information:
- Federal Contract Information (FCI): Non-public information provided by or generated for the government under contract that is not intended for public release. This includes documents such as organizational charts, contract performance reports, and proposal responses.
- Controlled Unclassified Information (CUI): Sensitive information that isn’t classified by the DoD but is protected through law or regulation. Examples include personally identifiable information (PII), architectural design diagrams, engineering data, and other information relevant to national security or critical operations (see other examples in the DoD CUI registry)
CMMC was specifically designed to strengthen the security ecosystem and ensure the safety of this information, making compliance crucial. Even if your organization does not handle FCI or CUI directly, you may still need to comply with CMMC if you have access to systems that store or process this information. That’s why subcontractors working under prime contractors with CMMC requirements should verify their obligations early through contract review and discussion with their primes.
According to FAR 2.101, the only exceptions to CMMC certification are providers of commercial off-the-shelf (COTS) items. An item must meet these criteria to be considered COTS—it’s:
- Used by the general public
- Sold in large quantities on the commercial market
- Offered to the government without any significant modifications in form or function from the commercially available version
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
How the CMMC impacts your organization
CMMC has a tiered structure, and depending on the tier, organizations must meet different compliance requirements to get certified. The requirements vary based on the type of data an organization handles and are divided into three levels:
- Foundational (Level 1): Focuses on basic cyber hygiene and applies to organizations that handle FCI.
- Advanced (Level 2): Introduces more stringent requirements and applies to organizations that handle CUI.
- Expert (Level 3): The most comprehensive level that applies to organizations that handle highly sensitive CUI. Requires meeting all the criteria for Level 2, plus additional requirements.
Determining the required level of certification for your organization is crucial for saving time and resources. You’ll need this information in two main scenarios:
- You’re pursuing a new government contract: The DoD intends to specify the required CMMC level in contracts and solicitations, allowing you to review the requirements before bidding.
- You're currently working with the DoD: You should get notified of the required CMMC level. In case you don’t, contact your contracting officer or reach out to your prime contractor for clarification if you're a subcontractor.
In addition, if you’re a prime contractor, you need to ensure that your subcontractors comply with CMMC. Collaborating with non-compliant contractors can impact your ability to meet contract requirements and maintain eligibility for future DoD contracts.
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
What happens if you don’t comply with the CMMC?
The primary consequence of not complying with CMMC is the risk of losing DoD contracts and revenue. Without CMMC certification, your organization won’t be able to renew existing DoD contracts or bid on new ones.
As of this writing, CMMC doesn’t impose any financial penalties for non-compliance, but an organization can still face legal action (including financial penalty) under the False Claims Act (FCA).
On October 6, 2021, the Department of Justice (DoJ) introduced the Civil Cyber-Fraud Initiative (CCFI), which ensures that all contractors and subcontractors comply with necessary cybersecurity regulations, utilizing the FCA as its primary enforcement tool.
When bidding on a DoD contract, an organization must officially affirm its compliance with the required CMMC level. A false affirmation by a non-compliant organization can serve as grounds for an FCA case.
While the link between CMMC and the FCA remains unspecified today, the CCFI has signaled an intent to leverage the FCA to enforce cybersecurity compliance. However, the exact details are still being ironed out.
How to achieve CMMC compliance
The steps you must take for your organization to achieve CMMC compliance largely depend on the required certification level. The required controls and assessments for each level are as follows:
- Level 1: This level requires an annual self-assessment based on the 15 controls outlined by FAR clause 52.204-21.
- Level 2: Depending on the data you handle, you must either complete a self-assessment or undergo a third-party assessment by a Certified Third-party Assessment Organization (C3PAO) against the 110 controls from NIST SP 800-171 R2. The assessment is conducted every three years, with annual affirmations required.
- Level 3: Required completion of Level 2 certification and an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) against the 24 controls selected from NIST SP 800-172, as outlined in 32 CFR 170.14. As with Level 2, the assessment is conducted every three years and requires annual affirmations.
This is only a brief overview, and the complete compliance process is more extensive due to the number of required controls and practices you must implement.
Because of its complexity, preparing for CMMC compliance can be particularly challenging for small and medium-sized businesses (SMBs) and other resource-constrained organizations, which may lack the internal expertise and bandwidth to manage workflows effectively.
A more efficient solution is to leverage a dedicated compliance solution that minimizes guesswork for evolving regulatory requirements, streamlines the certification process and timeline, as well as makes documentation collection and reporting more efficient.
Streamline CMMC compliance with Vanta
Vanta is a trust management platform that streamlines CMMC requirements by automating up to 50% of the process.
The platform offers a dedicated CMMC product with a range of features, including:
- Out-of-the-box support for all certification levels
- Automated evidence collection supported by 375+ integrations
- Real-time dashboard with automated gap assessments
- Centralized tracking and continuous monitoring of CMMC requirements
- Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
If you’re preparing for Level 2 or 3 CMMC certification, you can tap Vanta’s extensive partner network to find a reputable C3PAO for your assessment. You can also leverage Vanta’s partnership with Managed Service Providers (MSPs) to further systemize the compliance process.
See how Vanta can streamline and accelerate your CMMC certification by scheduling a custom demo today.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Who needs CMMC certification?
Looking to streamline the work for CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a mandatory security framework created by the U.S. Department of Defense (DoD) to reduce vulnerabilities within their supply chain. You can expect CMMC compliance to be a key prerequisite for organizations pursuing or actively participating in DoD contracts.
The program has a clearly defined scope and establishes three levels of cybersecurity maturity, depending on the type of information an organization processes, stores, and transmits. Understanding this scope and how the requirements apply to your organization is an important first step in your CMMC compliance journey. In this article, we’ll:
- Help you determine whether CMMC applies to you
- Discuss potential consequences of non-compliance
- Outline the steps to achieve certification
Who should comply with CMMC?
CMMC applies to all contractors and subcontractors in the DoD supply chain, including those working directly with the DoD, such as research labs and repair services, as well as those that support DoD operations indirectly, like cloud service providers and construction companies.
An organization’s location and industry do not affect its compliance requirements. If your organization handles DoD data or operates as a subcontractor, you must comply with CMMC to safeguard sensitive government data and maintain eligibility for future contracts.
Organizations that work with the DoD and need to comply with CMMC typically handle two types of highly sensitive information:
- Federal Contract Information (FCI): Non-public information provided by or generated for the government under contract that is not intended for public release. This includes documents such as organizational charts, contract performance reports, and proposal responses.
- Controlled Unclassified Information (CUI): Sensitive information that isn’t classified by the DoD but is protected through law or regulation. Examples include personally identifiable information (PII), architectural design diagrams, engineering data, and other information relevant to national security or critical operations (see other examples in the DoD CUI registry)
CMMC was specifically designed to strengthen the security ecosystem and ensure the safety of this information, making compliance crucial. Even if your organization does not handle FCI or CUI directly, you may still need to comply with CMMC if you have access to systems that store or process this information. That’s why subcontractors working under prime contractors with CMMC requirements should verify their obligations early through contract review and discussion with their primes.
According to FAR 2.101, the only exceptions to CMMC certification are providers of commercial off-the-shelf (COTS) items. An item must meet these criteria to be considered COTS—it’s:
- Used by the general public
- Sold in large quantities on the commercial market
- Offered to the government without any significant modifications in form or function from the commercially available version
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
How the CMMC impacts your organization
CMMC has a tiered structure, and depending on the tier, organizations must meet different compliance requirements to get certified. The requirements vary based on the type of data an organization handles and are divided into three levels:
- Foundational (Level 1): Focuses on basic cyber hygiene and applies to organizations that handle FCI.
- Advanced (Level 2): Introduces more stringent requirements and applies to organizations that handle CUI.
- Expert (Level 3): The most comprehensive level that applies to organizations that handle highly sensitive CUI. Requires meeting all the criteria for Level 2, plus additional requirements.
Determining the required level of certification for your organization is crucial for saving time and resources. You’ll need this information in two main scenarios:
- You’re pursuing a new government contract: The DoD intends to specify the required CMMC level in contracts and solicitations, allowing you to review the requirements before bidding.
- You're currently working with the DoD: You should get notified of the required CMMC level. In case you don’t, contact your contracting officer or reach out to your prime contractor for clarification if you're a subcontractor.
In addition, if you’re a prime contractor, you need to ensure that your subcontractors comply with CMMC. Collaborating with non-compliant contractors can impact your ability to meet contract requirements and maintain eligibility for future DoD contracts.
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
What happens if you don’t comply with the CMMC?
The primary consequence of not complying with CMMC is the risk of losing DoD contracts and revenue. Without CMMC certification, your organization won’t be able to renew existing DoD contracts or bid on new ones.
As of this writing, CMMC doesn’t impose any financial penalties for non-compliance, but an organization can still face legal action (including financial penalty) under the False Claims Act (FCA).
On October 6, 2021, the Department of Justice (DoJ) introduced the Civil Cyber-Fraud Initiative (CCFI), which ensures that all contractors and subcontractors comply with necessary cybersecurity regulations, utilizing the FCA as its primary enforcement tool.
When bidding on a DoD contract, an organization must officially affirm its compliance with the required CMMC level. A false affirmation by a non-compliant organization can serve as grounds for an FCA case.
While the link between CMMC and the FCA remains unspecified today, the CCFI has signaled an intent to leverage the FCA to enforce cybersecurity compliance. However, the exact details are still being ironed out.
How to achieve CMMC compliance
The steps you must take for your organization to achieve CMMC compliance largely depend on the required certification level. The required controls and assessments for each level are as follows:
- Level 1: This level requires an annual self-assessment based on the 15 controls outlined by FAR clause 52.204-21.
- Level 2: Depending on the data you handle, you must either complete a self-assessment or undergo a third-party assessment by a Certified Third-party Assessment Organization (C3PAO) against the 110 controls from NIST SP 800-171 R2. The assessment is conducted every three years, with annual affirmations required.
- Level 3: Required completion of Level 2 certification and an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) against the 24 controls selected from NIST SP 800-172, as outlined in 32 CFR 170.14. As with Level 2, the assessment is conducted every three years and requires annual affirmations.
This is only a brief overview, and the complete compliance process is more extensive due to the number of required controls and practices you must implement.
Because of its complexity, preparing for CMMC compliance can be particularly challenging for small and medium-sized businesses (SMBs) and other resource-constrained organizations, which may lack the internal expertise and bandwidth to manage workflows effectively.
A more efficient solution is to leverage a dedicated compliance solution that minimizes guesswork for evolving regulatory requirements, streamlines the certification process and timeline, as well as makes documentation collection and reporting more efficient.
Streamline CMMC compliance with Vanta
Vanta is a trust management platform that streamlines CMMC requirements by automating up to 50% of the process.
The platform offers a dedicated CMMC product with a range of features, including:
- Out-of-the-box support for all certification levels
- Automated evidence collection supported by 375+ integrations
- Real-time dashboard with automated gap assessments
- Centralized tracking and continuous monitoring of CMMC requirements
- Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
If you’re preparing for Level 2 or 3 CMMC certification, you can tap Vanta’s extensive partner network to find a reputable C3PAO for your assessment. You can also leverage Vanta’s partnership with Managed Service Providers (MSPs) to further systemize the compliance process.
See how Vanta can streamline and accelerate your CMMC certification by scheduling a custom demo today.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Explore more CMMC articles
Introduction to CMMC
CMMC requirements
CMMC certification process
CMMC levels
Get started with CMMC
Start your CMMC journey with these related resources.
What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.
CMMC Checklist
This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.
The ultimate guide to NIST 800-171
Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.
.png)
.png)
.png)