What Is CMMC?

On February 2, 2018 the National Institute of Standards issued the first version of NIST SP 800-171 – “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. This standard which is based on NIST SP 800-37 – Risk Management Framework, essentially states that companies must take the same care and safeguarding of Government data on contractor networks as the Government does on Government networks.


On November 18, 2013, the DoD published DFARS 252.204-7012, “Safeguarding of Unclassified Controlled Technical Information.” The clause requires NIST 800-171 compliance in addition to several other items (e.g. reporting of information system breaches). This DFARS allows companies to self-certify their compliance.


As of 2020, enhanced security standards for defense contractors, including many in the aerospace and defense industry take effect. The DoD’s Cybersecurity Maturity Model Certification (CMMC) will subject contractors to a certification process designed to bolster security and enhance visibility into the supply chain. A company’s cyber behavior — controls and practices — will receive a Level (1-5) rating, which will determine eligibility to bid on certain contracts. The CMMC replaces the existing self-certification model under DFARS 252.204-7012, The CMMC model using varying levels of NIST 800-171 compliance.

How Does Certification Work?

Contractors will become CMMC-certified by passing a third-party audit verifying their compliance with one of five levels. The five levels are show in the figure to the right.

CMMC mandates contractors comply with expanded controls and requirements, including asset management, cybersecurity governance, recovery, and situational awareness.

To be certified at a particular CMMC level, practices and processes must be met within that level and below. For example, to meet compliance for level 3, a contractor must also comply with the controls and practices in levels 1 and 2.

Contracts will require varying levels of CMMC certification. Projects with greater vulnerabilities or sensitivities will would require more stringent security standards (i.e., require a higher-level certification). Vendors’ eligibility to compete for contracts will be determined by CMMC level achieved, on a contract-by-contract basis.

The DoD’s latest update has yet to identify consequences for CMMC non-compliance. But the immediate and most concerning impact will be an inability for the Defense contractor to bid on future contracts and the potential loss of revenue.

Are All DoD Contractors Affected by CMMC?

Every company within the DoD supply chain — not just the defense industrial base — will be required to get certified to contract with the DoD. That could affect as many as 300,000 contractors, large and small, primary and subcontractors.

Paragone expects that companies will have much work to do to bring their cybersecurity controls up to the new standard.

Only 1% of Defense Industrial Base companies have implemented all 110 NIST 800-171 controls, according to the DoD’s Katie Arrington. More than one-fourth of defense professionals surveyed by the National Defense Industry Association (NDIA) work for organizations that have been subjected to cyber attacks. Companies in the sector do not have great confidence that they could recover from such attacks within 24 hours. Only about 30 percent of defense organizations have a full understanding of costs required to recover from a cyber attack, and nearly half of prime contractors are unable to confirm the system security plans of their subcontractors.

Small companies pose the biggest cyber risks, said Assistant Defense Secretary for Acquisition Kevin Fahey to reporters at the Pentagon. “The problem is that our adversaries don’t try to come in through the big companies, they come in through the fifth, sixth tier,” he said. “Most of our problems, that’s where they’re coming in.”

DoD officials expect to begin adding certification standards to requests for information (RFIs) by June 2020. Beginning in fall 2020, some DoD requests for proposal (RFPs) will explicitly state which CMMC level is required for a particular contract and provide a “go / no-go” decision for an organization’s eligibility to win a contract. Existing contracts will be up for renewal depending on which CMMC level is required by the contracting authority.

What Should I Do Now?

A current state assessment should look at 1) a review of what level of CMMC compliance is required for your organization, 2) a review of your authorization boundary description documentation, 3) a review of your System Security Plan, 4) a POA&M review, and 5) a customized plan and roadmap to get your company started on CMMC in time to continue to receive awards and hold DoD contracts.

Paragone’s current state assessment is accurate and complete and is the foundation for full compliance. Understand your technology and applications that process, create, or store CUI. Companies may have already invested in NIST 800-171 controls, and there could be ways to efficiently convert these to CMMC compliance.

Review your controls documentation and processes for safeguarding CUI. Identify and address previously undiscovered control gaps, based on new evidence discovered during the assessment per CMMC requirements.

Control gaps can range from lacking the right skill sets to overlooking a policy or procedure, or failing to have a sophisticated identity and access management solution. Organizations aspiring to achieve CMMC certification levels 4 and 5 would have more advanced gaps.

Many organizations also face challenges implementing several controls from certification levels 1 through 3, such as:

  • Multi-factor authentication implementation
  • Clearly defined network architecture and data flow diagrams, fundamental to scoping and documentation of the environment
  • Audit logs at both the application and system level that are monitored and fire alerts

Configuration Management Database (CMDB), to include all physical and logical assets with proper data classification

Develop a plan to address deficient controls and reach the target CMMC level. Remediation can take anywhere from a few weeks, for addressing some smaller gaps, to a few years for larger technology implementation efforts. Available budget also plays a big factor in remediation timelines.

Achieving certification at Level 1 or Level 2 may take a few months, while reaching higher levels may take a year or longer, given the increase in requirements. The level of effort will vary, depending on the client, contract, environment, and the nature of the gaps. It also hinges on which CMMC levels organizations are moving to and from.

Having a gap does not mean you are not at the required level of compliance. If you have the remediation plan in place and the contracting officer’s representative at the Prime contractor above you in the supply chain and/or the contracting officer’s representative at the DoD is comfortable with the plan, you can get certified.

CMMC compliance and cybersecurity in general are not just the domain of the IT department. A properly designed cybersecurity program has executive sponsorship and is understood and implemented by all employees and suppliers.

In order for an organizations security plan to meet CMMC and NIST 800-171 requirements, 1) it must be documented, 2) it must be understood by all, and 3) evidence of compliance must be collected. As cyber exploits can laterally move across functions, departments, and systems, compliance will require stakeholders across the organization.

Any continuous monitoring plan requires regular status updates and checkpoints with remediation owners to track status and identify risks before they impact the organization’s overall CMMC compliance.

Contact Us