FAQ - Cybersecurity maturity model Certification
CMMC - Frequently Asked Questions
Commonly asked questions about CMMC are important to understanding the foundation for compliance your business needs to continue working with the DoD as cybersecurity standards change. We've listed the basic (and not-so-basic) questions with clear, no-jargon answers to help you align your organization on CMMC 2.0 preparation.
Think of a question we missed? Contact us with it and we'll get you an expert answer ASAP.
CMMC -What is It?
CMMC (Cybersecurity Maturity Model Certification) is no longer optional for businesses aspiring to work with the DoD. Developed by the Department of Defense, CMMC acts as a standardized cybersecurity assessment, evaluating an organization's ability to safeguard Controlled Unclassified Information (CUI).
Think of CMMC as a passport to secure, productive DoD contracts while demonstrating your overall commitment to robust cybersecurity. Achieving CMMC certification grants you a competitive edge and establishes your organization as a trusted partner in the critical mission of national defense.
And achieving CMMC can be easy with proper CMMC preparation to get ready.
Commonnly Asked CMMC Questions:
To see answers to commonly asked CMMC questions, click on the questions below.
- CMMC - What is it?
- Do I need to be worried about CMMC?
- What Level of CMMC should I be focused on?
- What is the timeline for CMMC? (current timing)
- When did CMMC start and how has it evolved? (CMMC history)
- Why is CMMC important in 2024 and 2025?
- When do I need to be ready for CMMC? (as a DOD vendor)
- What is involved with CMMC Readiness?
- What dos a CMMC Audit entail?
- Who needs to be prepared for CMMC?
- Does my company handle CUI?
- What industries does CMMC impact the first/most?
- How will CMMC impact SaaS companies?
- Who at a company should be worried about CMMC?
- What do I need to know? CMMC for CISSP / CTO / CFO / COO
CMMC (Cybersecurity Maturity Model Certification) is no longer optional for businesses aspiring to work with the DoD. Developed by the Department of Defense, CMMC acts as a standardized cybersecurity assessment, evaluating an organization's ability to safeguard Controlled Unclassified Information (CUI).
Think of CMMC as a passport to secure, productive DoD contracts while demonstrating your overall commitment to robust cybersecurity. Achieving CMMC certification grants you a competitive edge and establishes your organization as a trusted partner in the critical mission of national defense.
And achieving CMMC can be easy with proper CMMC preparation to get ready.
Understanding how CMMC is applied is crucial for securing contracts, maintaining compliance, and protecting sensitive information. CMMC applies to your business if:
- Your company directly contracts with the DoD on acquisitions involving Controlled Unclassified Information (CUI).
- You are a subcontractor to a prime DoD contractor and handle CUI in the fulfillment of the contract.
Which version of CMMC standards apply to you will vary based on the type of data you’re handling.
- The DoD requires different CMMC levels depending on the sensitivity and classification of the CUI your company handles and the contractual requirements specified by the DoD.
- CMMC consists of five progressive levels (Level 1-5), with higher levels demanding more rigorous cybersecurity practices. You can learn more about CMMC Level 1 and CMMC Level 2 details here.
Remember: CMMC implementation requires planning, assessment, and potentially remediation efforts. Seeking professional guidance from CMMC-accredited consultants can be highly beneficial.
The exact date when CMMC will impact your business will vary based on the specific type and volume of DOD data you interact with in order to conduct business. In 2024, the Cybersecurity Maturity Model Certification (CMMC) has become a critical topic for defense contractors and DoD vendors and will remain a cornerstone of business operations for years to come. Understanding the history of CMMC and key dates on the current timeline is crucial for navigating the evolving cybersecurity requirements. As infosec experts with extensive experience with the DoD audits and CMMC standards, Essendis can shed light on what is essential and when and how to prioritize your tech stack to be ready starting with a current state CMMC assessment for your business.
The story of CMMC began in2010, when the Department of Defense (DoD) recognized the growing threat of cybersecurity breaches within its supply chain. This led to a series of government initiated memorandums and pilot programs aimed at strengthening security practices across the defense technology landscape.
A pivotal moment occurred in 2017 when DFARS 7012 was introduced. This regulation mandated that all relevant DoD contractors and suppliers comply with NIST SP 800-171, a set of cybersecurity controls for Controlled Unclassified Information (CUI). However, relying on vendors to administer their own compliance proved challenging, leading the DoD to develop CMMC in 2019.
CMMC 1.0, introduced in 2020, aimed to address concerns with self-attesting by introducing third-party assessments to verify infosecurity compliance. As an initial shift in responsibility, the standard of CMMC worked. However, changes in the security landscape and industry concerns prompted the DoD to initiate a review in 2021, resulting in upgraded requirements and the current CMMC 2.0 iteration.
Ask Our Experts to review your CMMC readiness
Contact a vCISOIn December 2023, the DoD submitted the CMMC 2.0 rule for review, paving the way for its official implementation in contracts – as early as May 2024. This makes CMMC crucial for defense contractors in 2024 and 2025 for several reasons:
- Compliance becomes mandatory: CMMC 2.0 introduces phased-in mandatory assessments based on contract value and CUI access level. Failing to comply could result in exclusion from DoD contracts.
- Enhanced security posture: CMMC strengthens the overall cyber resilience of the defense industrial base, safeguarding sensitive information and critical infrastructure. This is good for the country and vendors who remain part of the defense network by keeping pace with requirement evolutions.
- Level playing field: CMMC ensures a standardized approach to cybersecurity, creating a fair and competitive environment for all contractors.The DoD has plans to publish their standard so every vendor knows what is expected.
Remember: CMMC implementation requires planning, assessment, and potentially remediation efforts. Seeking professional guidance from CMMC-accredited consultants can be highly beneficial.
According to the DoD, the new CMMC 2.0 standards rulemaking process wll last between 9- and 24-months from when the DOD announced their plan in July 2023. This means vendors can expect CMMC inforcemet to start as early as May 2024 with a roll out that could extend into Q2 or Q3 of 2025. Most experts agree that CMMC readiness work should begin for vendors in 2024 since the DoD published rules in December of 2023 and has been clear that the new requirements will be the standard.
For DOD vendors trying to anticipate specific rules and timing, the exact timeline for individual contractors depends on several factors, including:
- Contract value: Higher-value contracts will require assessments earlier.
- CUI access level: Accessing higher levels of CUI necessitates earlier compliance.
- DoD guidance updates: The DoD may adjust the rollout based on ongoing developments.
Essendis highly recommends defense contractors proactively assess their CMMC readiness by:
- Familiarizing themselves with CMMC 2.0 requirements.
- Conducting a self-assessment to identify gaps in their cybersecurity practices.
- Developing a plan to address identified deficiencies.
- Seeking guidance from CMMC-accredited professionals for assistance and resources.
By understanding the CMMC history, timeline, and importance, defense contractors can stay ahead of the curve and ensure their continued success in the evolving DoD landscape. Essendis can help you determine how prepared you are for CMMC.
A CMMC Audit conducted on behalf of the DoD will examine your entire business operations an IT infrastructure to ensure that protection of Controlled Unclassified Information (CUI) is assured when they do business with you, While the methods and depth of the audit process will vary based on the size and nature of your relationship with the DoD, every aspect of your cybersecurity practices is likely to be reviewed in detail by certified experts.
You can learn more about the specific practices to be examined on our CMMC Level 1 and CMMC Level 2 pages.
Any vendor, contractor or sub-contractor of the DoD will need to be prepared for a CMMC audit once CMMC 2.0 regulations are fully rolled out. Even if your business doesn't directly support the DOD with a contract, if one of your customers works on government contracts, there is a possibility your business operations presents potential exposure to Controlled Unclassified Information (CUI), which would qualify you for an audit. As a subcontractor of the Department of Defense, you will want to understand if you handle CUI as part of your work.
The two main groupds of businesses that shouldbeprepared for CMMC 2.0 and a government cybersecutrity audit are:
- Companies that directly contract with the DoD for business dealings including Controlled Unclassified Information (CUI).
- Vendors and subcontractors of companies that directly support Department of Defense work (a "DoD Prime") and whose business operations involve CUI in order to complete the work in their contract.
Get started with our cmmc compliance team
Contact a vCISOIf you’re unsure whether or not you handle data that qualifies as CUI, it’s easy to find out:
- Look for contractual language mentioning CUI or DFARS clauses like DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) in your DoD contracts.
- Consult with your legal or contracting department for a definitive answer on CUI involvement and consider a CMMC readiness consultation to learn more.
CMMC 2.0 will impact a broader set of industries and companies than previous DoD cybersecurity models. And while standards will eventually encompass the entire DoD supply chain, the initial focus will be on industries most critical to national security, including:
- Defense contractors (Prime and sub-conractors)
- Aerospace anddefense manufacturers
- Information technology (IT) service providers
- Engineering eservice firms
- Supply chain management (technology and service)
Remember that the key determining factor for CMMC audits is if you handle CUI and the type and timing of a CMMC audit will be driven by factors related to your contract and workings with the DoD.
CMMC 2.0 primarily targets Defense Industrial Base (DIB) companies directly involved in government contracts. However, if your SaaS solution stores or processes Controlled Unclassified Information (CUI) for DoD contractors, CMMC compliance might become a requirement to retain their business.
If you operate or advis a SaaS company, consider the following impact:
- Increased Scrutiny: DoD contractors will likely seek out SaaS providers with demonstrably strong cybersecurity practices aligned with CMMC requirements.
- Compliance Demands: To retain DoD clients, you may need to undergo assessments to verify your CMMC level, potentially incurring additional costs.
- Competitive Advantage: Demonstrating CMMC compliance can be a powerful differentiator, attracting new DoD contractor clients seeking secure solutions.
While CMMC tasks are often delegated to information technology and cybersecurity teams, the responsibility for understanding and ensuring compliance is shared across:
- Individuals directly involved in:
- Security and compliance
- Contract acquisition and management
- Data management and protection
- Supply chain management - Senior leadership responsible for risk management and strategic decision-making.
If you're the one responsible for cybersecurity at your company and facing a potential CMMC 2.0 audit, you should consult with a Certified Information Systems Security Professional (CISSP) to ensure you have the right CMMC experience. A CISSP-level of expertise will help ensure the proper DoD-specific expertise is utilized properly for you to achieve CMMC readiness.
If you're a CTO, CFO or COO, consider the following steps as a strategic roadmap to ensure your organization is CMMC-ready:
- Get Executive Buy-In: Secure leadership commitment to prioritize CMMC compliance and allocate necessary resources and align sub-contractors.
- Involve your CFO: Factor CMMC compliance costs into financial planning. Early investment can save money in the long run.
- Complete an IT Assessment: Conduct a thorough IT infrastructure and security practices assessment to identify gaps.
- Retain CISSP Expertise: Leverage the knowledge of CISSP (Certified Information Systems Security Professional) certified personnel to develop a robust compliance strategy.
- Find and Leverage CMMC Resources: Utilize firms specializing in CMMC 2.0 and other CMMC-AB (CMMC Accreditation Body) approved resources in order to support training to guide your team.
Ask Essendis for HeLp planning your Next CMMC Move
Contact a vCISO.svg)
