Search

CMMC TL;DR

Triumvirate Cyber
May 22, 2024
2 min read

Updated: Feb 11

This article provides a high-level "too long; didn't read" (TL;DR) summary of the CMMC program as a way to dip your toes in before making the plunge.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) program will require U.S. Department of Defense (DoD) contractor organizations to achieve certification demonstrating their compliance with baseline cybersecurity controls. Specifically, the CMMC program is concerned with maintaining the confidentiality of controlled unclassified information (“CUI”) to protect sensitive information which could detrimentally impact U.S. national security interests.

In 2010, Executive Order 13556 established a formal definition of CUI and mandated its protection through consistent means across the U.S. federal government. Since 2017, the DoD has required companies to self-attest to their compliance with the requirements of NIST Special Publication ("SP") 800-171 via Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012. However, this method has proved insufficient due to the frequency of data breaches involving CUI for organizations within the defense industrial base ("DIB") that had self-attested to meeting the requirements.

To address this, the DoD proposed CMMC version 1.0 as an interim rule in 2020. After receiving feedback from the DIB, the DoD released a revised version of CMMC (v2.0) in late 2021, which is the current standard. You can find specific information about the program on the DoD Chief Information Officer website.

Rulemaking within the U.S. federal government and the DoD completed and the CMMC rule was finalized in December 2024 in 32 CFR 170. It is expected to begin appearing within DoD contracts as DFARS 252.204-7021 in 2025. At that point, DoD contractors will be required to have achieved CMMC compliance and successfully undergone an audit by a Certified Third-Party Assessor Organization (C3PAO) prior to being awarded DoD contracts requiring Level 2 or Level 3 certification.

How Do I Get Certified?

The CMMC program establishes three distinct levels of certification:

Level 1: Any organization with access to federal contract information (“FCI”) will be required to self-attest their compliance with CMMC Level 1, which includes 15 controls.

Level 2: DoD contractors who store, process, or transmit CUI data will be required to undergo validation by a C3PAO to demonstrate compliance with the 110 requirements in NIST SP 800-171 established in CMMC Level 2 every three years.

Level 3: Finally, organizations with access to certain categories of CUI will require triennial validation by a C3PAO of their compliance with the 134 requirements of CMMC Level 3, including the 110 controls from NIST SP 800-171 as well as an additional 24 from NIST Special Publication 800-172.

For a deeper dive on the CMMC program, its context, and requirements, check out CMMC 101: Intro to Compliance or contact us to find out how Triumvirate Cybersecurity can help you prepare for certification!

Ready to start your CMMC journey?

CMMC and the Great Power Competition

Since 2018, U.S. national security strategy has increasingly focused on the Great Power Competition (GPC) — a geopolitical and economic...

Join Us for a CMMC Happy Hour!

Triumvirate Cybersecurity will be hosting a happy hour event at the UDRI Digital Transformation Center on May 28, 2025! Join us to discuss the impacts of CMMC!

Mind the Gap (Assessment): Preparing for CMMC Rollout

Though CMMC has not yet been made a contract requirement, the DoD is already considering contractors’ CMMC readiness when reviewing bids on solicitations. Learn what to expect at every stage of CMMC rollout.