The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework that the Department of Defense (DoD) has instituted for prime and subcontractors wanting to provide products or services to the DoD. Keiter is a Registered Provider Organization (RPO) in the CMMC Marketplace.

Helping your business adopt the CMMC

HistoryKey Facts
December 2017DFARS 252.204-7012 became effective requiring DoD contractors to comply with NIST SP 800-171. Compliance with 800-171 was achieved via contractor self-certification.

Self-certification was determined to be insufficient.
January 2020DoD published CMMC version 1.0.
September 2020DoD published interim rule, which implemented timeline for rollout of CMMC version 1.0 to DoD contractors,

Contractors with Controlled Unclassified Information (CUI) were also required to begin self-reporting compliance with NIST SP 800-171 in the DoD’s Supplier Performance Risk System (SPRS)
November 2021DoD announced CMMC version 2.0, suspending the rollout of CMMC requirement until final rules are published. Estimated timeline for final rulemaking will take 9 to 24 months.
Key Facts
CMMC 2.0 has three maturity levels (ML-1, ML-2, ML-3). The CMMC maturity level a contractor must comply will be specified in the DoD solicitation or RFI.
Under CMMC 2.0, the large majority of DoD contractors will be able to continue with self-certification. For these contractors, a senior company official will have to provide an annual affirmation that the company is complying with its maturity level’s CMMC cybersecurity requirements.

The DoD contractors that will have access to information that is deemed to be critical to national security will be required to undergo third-party assessments.
CMMC 2.0 now allows for Plan of Action and Milestones (POAMs) in certain cases.
The DoD is considering providing incentives for contractors who voluntarily obtain a CMMC certification in the interim period.

The DoD is using a phased rollout of the CMMC program through September 30, 2025, at which time all solicitations will require compliance with CMMC. Prior to that time the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of a CMMC requirement in a solicitation.

CMMC Maturity Levels
The CMMC framework has three maturity levels (ML). ML-1 is the least rigorous, ML-3 the most. The maturity level and assessment requirements are based on the sensitivity of the information shared with the contractor. Contractors who only have access to Federal Contract Information (FCI) will be ML-1. Contractors who have access to Controlled Unclassified Information (CUI) will be ML-2 or ML-3. Contracts that have CUI that the DoD deems not to be critical to national security will be ML-2 and might only require the contractor to annually self-certify compliance with CMMC 2.0.
Read more about FCI and CUI here

Maturity Level 1 | Foundational
17 practices
Requires contractor to annually perform self-assessment
Maturity Level 2 | Advanced
110+ practices aligned with NIST SP 800-171
For contracts with critical national security information, requires contractor obtain triennial third-party assessment
For contracts with CUI that is not deemed critical to national security, contractor to perform annual self-assessments
Maturity Level 3 | Expert
110+ practices based on NIST SP 800-172
Requires contractor to obtain triennial government-led assessments

 

DoD contractors need to ensure they are prepared to meet the cybersecurity requirements for their CMMC Maturity Level.

DoD contractors first need to determine the CMMC Maturity Level with which they need to comply. Contractors should review their current contracts and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine the sensitivity of the information (CUI vs FCI) the government considers the contractor to have.

Once the Maturity Level is determined, contractors should perform an assessment to determine if there are any CMMC requirements that it is not meeting for their specific Maturity Level. If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.

Additionally, if not already performed, DoD contractors with CUI need to perform a self-assessment against NIST SP 800-171 and self-report in the DoD Supplier Performance Risk System (SPRS).

Keiter is a Registered Provider Organization (RPO) in the CMMC Marketplace.

Many DoD contractors will need assistance in getting ready for their self- and/or third-party assessments, to include identifying controls, identifying gaps, and developing corrective action plans. Keiter’s Risk Advisory Services team has been providing cybersecurity services and consulting on the major IT frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others for close to 20 years. As CMMC RPO, our team can help DoD prime and subcontractors with the following:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Assistance with Remediating Gaps Identified during Readiness Assessment
  • Assistance with NIST SIP 800-171 Self-Assessment that is recorded in Supplier Performance Risk System

CMMC RPO

Protect Your Small to Mid-size Business Safe From Cyber Attacks

Chris Moschella Quoted in Virginia Business Article on Cybersecurity Attacks

Security Alert: Impacts of Russia Invading Ukraine

Proposed SEC Cybersecurity Regulations for Registered Advisers

View All CMMC Insights

Your Opportunity Advisors

Scott McAuliffe

Partner, Risk Advisory Services

Chris Moschella

Risk Advisory Services Senior Manager

Contact Us