CMMC Roadmap: Your Ultimate Guide for CMMC 2.0 Compliance

CMMC 2.0 provides the U.S. Department of Defense (DoD) with the means to protect private data from malicious attacks on its supply chain. It maps NIST 800-171 requirements to each of its Level 2 practices and will employ NIST 800-172 for its Level 3 practices—once they are released.

DoD contractors must demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 through self-assessments as well as utilization of CMMC Third Party Assessor Organizations (C3PAOs). A phased implementation of CMMC 2.0 is expected to begin in Q1 2025 with CMMC in all DoD contractor and subcontractor contracts by 2028. In preparation for the final CMMC rule being published and going into effect Q1 2025, some DoD contractors are beginning to require their subcontractors to demonstrate compliance now.

About CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a regulation put in place to enhance the cybersecurity procedures and standards within the Defense Industrial Base (DIB). It was created in response to growing concerns over the security of controlled unclassified information (CUI) within the supply chain.

CMMC impacts all organizations that contract with the Department of Defense (DoD), including small businesses, commercial item contractors, and foreign suppliers. According to the regulation, these organizations must be certified across five different maturity levels, each having specific cybersecurity practices and processes.

The regulation is crucial in providing a unified standard for implementing cybersecurity across the DIB that deals with sensitive information. It is designed to ensure complete protection of critical proprietary, strategic, and operational data from breaches and cyberattacks.

The benefits of demonstrating CMMC compliance include improved national security by ensuring data protection, increasing company credibility and marketability due to enhanced cybersecurity practices, and allowing continued eligibility for DoD contracts. It also helps organizations identify their cybersecurity strengths and weaknesses, resulting in more efficient and effective operations.

Assessing the Threat to the DoD Supply Chain

While CUI is not classified, the government believes CUI must be protected, as its breach could pose a threat to national security. In particular, DoD computer systems contain huge amounts of sensitive data, which includes CUI, that is sent, shared, received, and stored internally as well as with hundreds of thousands of contractors and subcontractors.

This data, both in transit and in motion, can be vulnerable to cyberattacks. A DoD contractor’s well-implemented cybersecurity posture, astute procurement due diligence, and contracting provisions may not necessarily eliminate all vulnerabilities associated with the sending, sharing, receiving, and storing of CUI and potential impact on the DoD and its contractors and subcontractors.

CMMC 2.0 simplifies what was originally released in CMMC 1.0, going from five levels to three and mapping each of the areas in Level 2 to NIST 800-171.

CMMC 2.0: Who’s Impacted

All civilian organizations that do business with the government must comply with CMMC 2.0. The list of entities includes:

• DoD prime contractors
• DoD subcontractors
• Suppliers at all tiers in the Defense Industrial Base (DIB)
• DoD small businesses suppliers
• Commercial suppliers that process, handle, or store CUI
• Foreign suppliers
• Team members of DoD contractors that handle CUI such as IT managed service providers

CMMC level compliance is assigned to contractors and subcontractors based on the type of CUI and FCI that they handle and exchange.

CMMC 2.0 Jurisdiction: How Far Down the DoD Supply Chain Does CMMC Extend?

The CMMC standard applies to all entities within the DoD supply chain, including organizations that handle federal contract information (FCI), controlled unclassified information (CUI), and other sensitive information regardless of the specific organization with which the contract is placed. This includes both prime contractors and their subcontractors at any tier, including suppliers, vendors, and consultants.

CMMC 2.0 Levels: What’s Changed

Once again, CMMC 2.0 simplifies what was originally released in CMMC 1.0 and reduces the maturity level from five levels to three. The decision to reduce the five maturity levels to three was taken after rigorous evaluation and feedback from the industry. This was done for a multitude of reasons, the primary one being the aim to simplify the implementation process for defense contractors, particularly small to medium-sized businesses. The previous model with five levels was found to be overly complex and burdensome for some companies, often leading to confusion and hindering efficient compliance.

By condensing the framework to three distinct levels: Foundational, Advanced, and Expert, CMMC 2.0 aims to provide a more streamlined, manageable, and cost-effective solution for organizations. This ranged model allows for a more gradual progression in the implementation of security measures, making it easier for businesses to understand and fulfill their compliance requirements.

Another significant advantage is that the new three-tier structure correlates more appropriately to the diverse range of threats different organizations might face. It offers a more tailored approach to cybersecurity, aligning the level of security controls to the level of sensitivity and criticality of the information that a company handles.

Lastly, the reduction to three levels in CMMC 2.0 could lead to improved standardization across the defense industry. A simpler framework is more likely to be adopted consistently, thereby enhancing the overall cyber hygiene and resilience of companies within the supply chain.

In essence, the transition toward fewer maturity levels in CMMC 2.0 is an effort to balance the necessity of robust cyber defenses with the practical realities of business operations in the defense supply chain. The goal is to achieve a model that encourages compliance, reduces complexity, and accommodates the needs of a diverse set of organizations.

We’ll explore each level in much further depth below.

CMMC 2.0 Levels Explained

CMMC 1.0 had five maturity levels, but CMMC 2.0 reduced them to three tiers. CMMC 2.0 eliminates all maturity processes and unique CMMC 1.0 security practices and aligns closely to NIST 800 standards.

Table 1. CMMC 2.0 reduced the number of tiers from five to three and mapped Level 2 to NIST SP 800-171.

CMMC 2.0 contains three tiers of assessments based on the level of information access (see Table 1). They include:

CMMC 2.0 Level 1: Foundational

The Foundational level requires annual self-assessment that has attestation from a corporate executive. This level encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21.

CMMC 2.0 Level 2: Advanced

The Advanced level is aligned with NIST SP 800-171. It requires triennial third-party assessments for contractors that send, share, receive, and store critical national security information. These third-party assessments are conducted by C3PAOs. Select contractors that fall into Level 2 only require annual self-assessments with corporate attestation.

This level encompasses the security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].

CMMC 2.0 Level 3: Expert

The Expert level is aligned with NIST SP 800-172 and will require triennial government-led assessments. Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172 [6].

17 Core Security Domains of CMMC 2.0 Level 2

The 17 Core Security Domains of CMMC 2.0 represent the security practices and processes that organizations must conform to when handling CUI. The 17 domains are considered essential to protecting CUI and are the foundation on which the various levels of CMMC certification are built.

The 17 domains are:

1. Access Control (AC) – Restict Access to CUI

A security practice that restricts access to CUI based on the need-to-know principle. Access Control also helps to ensure that only authenticated and authorized individuals, processes, and other entities have access to CUI by using different methods such as identification, authentication, authorization, and non-repudiation. Access Control also monitors and logs all access to CUI.

2. Asset Management (AM) – Know Your CUI

The practice of documenting, tracking, and monitoring the life cycle of all information system assets. This is done in order to prevent unauthorized access to CUI, detect CUI-related attacks, and help with incident response planning. It also involves protecting information system assets from unauthorized disclosure, modification, destruction, or theft by implementing proper physical and logical security controls.

3. Audit and Accountability (AA) – Track and Report Who Accesses CUI

The process of verifying and tracking activities of users, processes, and other entities that access CUI. It involves logging access to CUI, tracking changes to CUI, and conducting periodic reviews of CUI to ensure integrity. The objective of Audit and Accountability is to ensure that the security of CUI is maintained, and to detect, investigate, and prevent unauthorized access and use of CUI.

4. Awareness and Training (AT) – Develop and Reinforce Proper CUI Handling

The practice of providing employees and contractors with security awareness training and other security-related education and training. This training should cover at least the basics of the organization’s security program, such as identifying security threats, handling and protecting CUI, proper data disposal, and responding to security incidents.

5. Configuration Management (CM) – Maintain Information System Integrity

A practice that establishes and maintains the integrity of an information system’s hardware, software, and documentation over its life cycle. It includes establishing and maintaining a baseline configuration, maintaining an inventory of components, monitoring changes to the baseline, and ensuring configuration accuracy. Configuration Management also includes securing and protecting system components and ensuring they are available when needed.

6. Identification and Authentication (IA) – Verify Only Authorized Personnel Can Access CUI

A security practice that involves verifying the identity of an individual, process, or other entity and ensuring that it is authorized to access CUI. It typically includes the use of passwords, biometrics, or tokens to authenticate and identify users, processes, or devices. It is important to ensure that only authorized individuals and processes gain access to CUI.

7. Incident Response (IR) – Detect and Respond to Security Incidents

The practice of identifying, responding to, and mitigating security incidents. Incident response involves detecting and responding to security breaches and other malicious activities, analyzing the impact of the incident, establishing a containment plan, and developing and implementing a plan for recovery. Incident Response also includes restoring systems to normal operation, investigating the source of the incident, and implementing measures to prevent similar incidents from happening in the future.

8. Maintenance (MA) – Keep Information Systems Running Optimally

The practice of maintaining the operational state of an information system, including its components and environment, to ensure that the system remains secure and operational. This includes preventive maintenance, corrective maintenance, and administrative maintenance. Preventive maintenance involves ensuring that system components and software are up to date and that security policies, procedures, and safeguards are properly implemented. Corrective maintenance involves identifying, responding to, and mitigating security incidents and other malicious activities. Administrative maintenance involves ensuring that system access rights are up to date and that security controls are being implemented properly.

9. Media Protection (MP) – Safeguard CUI Stored on Removable Media

The practice of protecting CUI stored on removable media, such as USB flash drives, CD-ROMs, and other types of external storage media. It includes protecting media from unauthorized access and modification, ensuring that media is not exposed to potential threats, and ensuring that media is disposed of properly. Media Protection also involves encrypting CUI stored on media and enforcing access control policies for media.

10. Personnel Security (PS) – Vet and Protect Employees Who Handle CUI

The protection of the security posture of personnel, both inside and outside the organization, who are associated with the handling or processing of CUI. It includes protecting personnel from potential threats, such as unauthorized access, modification, destruction, or theft of CUI. It also involves the implementation of policies and procedures that ensure personnel have the knowledge, skills, and abilities to protect CUI, and have the necessary background checks and other security-related qualifications.

11. Physical Protection (PE) – Maintain Proper Physical Security of Equipment and Facilities

A security practice that involves the protection of physical resources and assets, such as computers, networks, and other hardware and equipment, against unauthorized access, modification, destruction, or theft. It includes the implementation of various physical and logical security controls such as locks, guards, cameras, barriers, authentication devices, and firewalls. Physical Protection also involves enforcing access control policies and monitoring physical access to CUI.

12. Recovery (RE) – Respond and Rebound From a Security Event

The practices needed to restore an information system, its components, and its environment to a secure and operational state following a security incident or malicious activity. It involves restoring systems to normal operation, investigating the source of the incident, mitigating the impact of the incident, and developing and implementing measures to prevent similar incidents from happening in the future.

13. Risk Management (RM) – Identify and Address All Vulnerabilities to Mitigate Risk

The process of identifying, assessing, and mitigating risk in order to reduce an organization’s vulnerability and eliminate potential security threats. It involves recognizing, analyzing, and determining the risk to an organization’s assets, systems, and CUI, and evaluating and implementing appropriate measures to protect them. Risk Management also includes implementing effective security policies, procedures, and controls, conducting periodic risk assessments, and monitoring systems and networks for potential threats.

14. Security Assessment (CA) – Evaluate Security Requirements and Make a Plan to Meet the Requirements

The process of identifying the security requirements and determining that appropriate security controls are in place to meet those requirements. It includes identifying potential threats, conducting vulnerability and risk assessments, implementing appropriate security controls, and monitoring systems and networks for potential threats. Security Assessment also includes developing and implementing security policies, procedures, and guidelines, and monitoring compliance with these policies. Additionally, Security Assessment involves conducting periodic reviews of systems and networks to ensure that security controls are working as expected.

15. Situational Awareness (SA) – Recognize and Understand Changes and Anomalies

The ability to recognize and understand the significance of changes in the environment, sense threats and opportunities, effectively assess the impact of threats and opportunities, and make appropriate decisions for responding. Situational Awareness is a key component of the security posture, as it helps to protect personnel, assets, and information from potential threats, and enables an organization to quickly recognize, respond to, and mitigate cyber threats.

16. System and Communication Protection (SC) – Implement Controls to Identify and Repel Potential Threats

The security practice of protecting systems and communications from unauthorized access, modification, destruction, or theft. It involves the implementation of various physical and logical security controls, such as firewalls, encryption, authentication devices, access control policies, and monitoring systems and networks for potential threats. System and Communication Protection is a key aspect of security, as it helps to ensure that CUI is protected from unauthorized access, modification, destruction, or theft.

17. System and Information Integrity (SI) – Protect Information and Information Systems From Threats

An essential component of the CMMC 2.0 model that involves ensuring the accuracy, completeness, and reliability of information and systems. This includes implementing effective security controls to protect systems from malicious activities, monitoring systems for potential threats, and conducting periodic reviews to ensure information and systems remain secure and unaltered. In addition, System and Information Integrity involves preventing unauthorized access to information and systems, and protecting the confidentiality, integrity, and availability of information.

Which CMMC 2.0 Level Should DoD Contractors Pursue?

There are three levels of CMMC 2.0, ranging from basic cybersecurity hygiene to advanced cybersecurity practices. These levels are designed to be cumulative, meaning that each class builds upon the requirements of the previous story. The higher the group, the more rigorous the cybersecurity requirements.

To bid on DoD contracts requiring cybersecurity compliance, contractors must be certified at the appropriate level. This means that contractors must assess their cybersecurity practices and take steps to ensure that they meet the necessary level of compliance. For DoD contractors, the CMMC 2.0 levels mean that they must meet specific cybersecurity requirements to be eligible to bid on contracts with the DoD.

CMMC 2.0 and Small Business Contractors

Small businesses are a vital part of the Defense Industrial Base (DIB) and play a significant role in the economy. However, the implementation of CMMC 2.0 presents a unique set of challenges and considerations for these contractors. Small businesses face the same requirements as larger contractors, but they may not have the same resources and capabilities to comply with the standards. The CMMC 2.0 framework requires contractors to have adequate cybersecurity measures in place to protect CUI stored in their systems. Small businesses must understand the impact of CMMC 2.0 on their operations and take action to ensure regulatory compliance.

Small businesses face unique challenges and considerations when it comes to complying with the requirements of CMMC 2.0. The small business community needs to understand the impact of CMMC 2.0 on their operations and take proactive steps to meet the requirements. Small businesses must consider the cost of implementing adequate cybersecurity measures and training, the availability of cybersecurity expertise, and the need for regular assessments.

Impact of CMMC 2.0 on Small Businesses

The CMMC 2.0 framework requires contractors to undergo third-party assessments to verify that they have implemented adequate cybersecurity measures in their systems. Small businesses need to understand their level of readiness for these assessments and develop a plan to meet the requirements. Small businesses will need to invest in cybersecurity measures and training to ensure that they are prepared for the assessments. Failure to comply with the requirements of CMMC 2.0 could result in loss of existing contracts, inability to bid on new contracts, or even fines and penalties.

CMMC Compliance Resources for Small Businesses

The DoD recognizes the importance of small businesses in the DIB and has developed resources and assistance programs to help them comply with the requirements of CMMC 2.0. The Small Business Administration (SBA) offers several programs, including the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs, which provide funding for small businesses to develop new technologies and capabilities that can be used to meet the requirements of CMMC 2.0.

The CMMC Certification Journey: What to Expect

Accreditation for CMMC 2.0 Level 2 requires preparation and time to complete, both the self-assessment as well as the assessment completed by a C3PAO.

Accreditation requires establishment of periodic assessment of security controls to determine if they are effective in their application, documentation and updates to the system security plan (SSP), and documentation of a remediation plan (POA&M) to address practice control areas that failed the initial audit and timelines and resource requirements needed to rectify identified issues.

Due to these requirements, CMMC 2.0 experts recommend that organizations initiate an audit at least six months in advance. With phased implementation starting in May 2023, the time for DoD contractors and subcontractors to start is now.

The current DoD methodology for NIST SP 800-171—to which CMMC 2.0 Level 2 is mapped—self-assessment provides three scores for each of the 110 Level 2 practices with a weight of 1, 3, or 5.

Though final details on CMMC 2.0 scoring have not been released yet, indications are that the scoring and weighting methodology for NIST SP 800-171 will likely be reflected in those guidelines. Most importantly, of the 110 security controls in CMMC 2.0 (and NIST SP 800-171), 50 have a weight of 1, whereas the other 60 are worth 3 or 5 points.

Based on information released by a CMMC director at a cybersecurity event in April 2022, only practice controls with 1 point will be permitted a POA&M. Thus, for practice controls with weights of 3 or 5, no POA&M will be required; the deficiency must be remediated before business with the DoD can be conducted.

In addition to the above, the DoD plans to establish a minimum Supplier Performance Risk Score (SPRS) that must be achieved when POA&Ms are used to attain accreditation. At the same time, organizations will have a specified timeframe to address deficiencies, as POA&Ms will be time-bound with strictly enforced limits (likely 180 days).

The Benefits of CMMC 2.0

While few of us may be looking forward to another long journey when it comes to information security, the move from CMMC 1.0 to 2.0 is a critical and necessary one. The new requirements reflect an increased focus on protecting FCI and CUI.

This heightened level of protection is essential in today’s business environment, where data breaches are becoming more common and cyberattacks are growing in sophistication—elements that can pose a serious risk to the DoD supply chain.

The good news is that there are significant benefits to implementing CMMC 2.0. A few include:

1. Reducing cyber risk across the DoD supply chain by establishing supply chain risk management standards to which all contractors and subcontractors must adhere.
2. Building upon existing regulations (e.g., DFARS 252.204-7012, NIST SP 800) used to build trust by adding a verification standard for cybersecurity.
3. A cost-effective means for small businesses—of which most DoD contractors and subcontractors are—to implement cybersecurity controls that reduce risk for themselves as well as the DoD and other public and private sector entities with whom they conduct business. Accreditation can afford a competitive advantage to a small business by helping them stand out from competitors that lack CMMC 2.0 certification.

Preparing for CMMC 2.0: Recipe for Success

As we continue our journey to CMMC 2.0, it is important to remember that protecting FCI and CUI is paramount. The transition to CMMC 2.0 requires organizations to implement new controls and processes to safeguard this information.

While this may seem daunting, many resources are available to help you prepare for the transition. Taking the time to familiarize yourself with the new requirements will pay off in the long run and help ensure a smooth transition for your organization. 

Build a CMMC 2.0 Compliance Strategy

Building a CMMC 2.0 compliance strategy requires careful planning and execution. Contractors must establish a compliance plan, define roles and responsibilities, and identify necessary resources and tools.

Establish a Compliance Plan and Policies

Developing a compliance plan is the first step toward achieving CMMC 2.0 compliance. It is essential to identify the scope of the compliance program, including the assets and systems that require protection. Additionally, it is essential to identify the level of CMMC maturity required for compliance. The compliance plan should include policies that outline data protection procedures, access controls, and data handling procedures. Policies should be consistent with the required CMMC level and the contractor’s operations. In addition, policies should be reviewed regularly to ensure compliance with the evolving CMMC standards.

Define Roles and Responsibilities

Roles and responsibilities should be defined clearly to ensure compliance with CMMC 2.0 standards. The compliance team should be made up of individuals who are knowledgeable about the CMMC standards and have experience in implementing compliance programs. It is essential to assign roles to individuals who have the authority to enforce compliance policies and procedures. The team should also include individuals from different areas of the organization, including IT, legal, human resources, and finance, to manage compliance issues effectively.

Identify Necessary Resources and Tools

To achieve CMMC 2.0 compliance, contractors need to identify and invest in the necessary resources and tools. For instance, contractors should invest in security tools, such as firewalls, antivirus software, and intrusion detection systems. Further, contractors should consider training employees on security awareness, vulnerability assessments, and incident response. These resources and tools should be aligned with the CMMC level and the contractor’s operations. Contractors should also consider working with third-party vendors to provide expertise and tools to achieve compliance.

Mapping CMMC Requirements

When building a CMMC 2.0 compliance strategy, DoD contractors and subcontractors must also map CMMC requirements, identify gaps, and implement controls. The contractors must adopt a continuous monitoring and improvement approach to maintain compliance with the evolving CMMC standards.

Identify Gaps and Implement Controls

Gaps identified during the mapping process should be addressed by implementing controls that need to be consistent with the required CMMC level and the contractor’s or subcontractor’s operations. Controls should be documented, tested, and monitored to ensure they effectively mitigate risk and meet the CMMC requirements. For instance, contractors may need to implement access controls to restrict access to sensitive data, implement data backup procedures, ensure the use of secure software development practices, and implement incident response procedures.

Commit to Continuous Monitoring and Improvement

Achieving CMMC 2.0 compliance is not a one-time event; it requires continuous monitoring and improvement of policies, procedures, and controls. The contractors should establish a continuous monitoring system to detect and respond to security incidents and identify any gaps that require remediation. Contractors should also conduct periodic assessments to ensure systems and policies are up to date with the evolving CMMC standards. Continuous improvement efforts can help contractors to maintain compliance and avoid costly security incidents.

How to Prepare for CMMC 2.0

A webinar featuring Optiv’s VP (and former FBI CIO) James Turgal and Kiteworks’ CISO and SVP of Operations Frank Balonis examined what DoD contractors and subcontractors need to do to prepare for CMMC 2.0. Following are some of the things they recommend DoD contractors and subcontractors keep in mind when building a roadmap to CMMC 2.0:

1. Unify File and Email Data Communications Onto One Platform

Identification of a technology platform and/or tools for sending, sharing, receiving, and storing FCI and CUI will address many of the Level 2 practice requirements. Having the right sensitive content communications platform in place for email, file sharing, automated file transfer, web forms, and application programming interfaces (APIs) will significantly streamline the accreditation process.

2. Know Your Private Data: FCI, CUI, or Both

Review your contracts and determine what information is classified FCI or CUI, if any. CUI is information relevant to the interests of the U.S. and includes sensitive, unclassified information that requires controls to safeguard or disseminate it. Specific categories of CUI can be found in the DoD CUI Registry.

3. Determine the Appropriate CMMC 2.0 Level

FCI is information provided by or generated under a government contract that has not been or is not intended for public release. Any company with FCI must achieve CMMC 2.0 Foundational Level 1 certification. This includes DoD contractors and subcontractors that do not even handle CUI. For those that handle CUI, CMMC 2.0 Level 2 certification is likely required.

4. Understand Your SSP and POA&M

RReview your system security plan (SSP) and POA&M documents. You should pose the following, among other, questions. Does your SSP cover the scope of where you have FCI and CUI? What changes have happened to your environment that need to be reviewed? What actions on your POA&M do you still need to complete? Plan out which of these you will do when and where the money will come from. (Important Reminder: POA&Ms will likely be eligible for only Level 2 practice requirements with a weighted score of 1.)

5. Get Your Documentation in Order

Get your integrated risk management documentation in order. Do you have written cybersecurity policies and procedures in place? Are they being followed? When was the last time you reviewed them? If you were to be audited, would your policies and procedures stand up to scrutiny?

6. Test and Validate Your Controls

Test and validate the controls you already indicate that you’ve implemented. Remember that security is a process, not a destination, and you should reassess your controls (preferably at least annually). Review your documented policies and procedures to be sure they are effective, efficient, and being followed.

7. Go Beyond the Basic Cybersecurity Controls

Go beyond basic compliance steps to perform effective cybersecurity for your critical business information. For example, CMMC doesn’t require that you back up your data, but ignoring backups in pursuit of compliance controls won’t provide any comfort if your business is the victim of ransomware. CMMC experts often tout, very accurately, that the required controls are just a minimum standard and aren’t necessarily indicative of providing active security of your company’s data.

CMMC Implementation Timeline

Based on what has been said and published by the CMMC body, the phased implementation for CMMC 2.0 begins soon. DoD contractors and subcontractors must begin today in determining if Level 1, 2, or 3 apply to their organizations. Self-assessments and third-party risk assessments by C3PAOs need to commence shortly, if not already.

CMMC 2.0 Timeline: When Will CMMC Be in Contracts?

The timeline for implementing CMMC 2.0 into DoD contracts is still ongoing and subject to change, but the DoD has provided some guidance on the rollout of CMMC.

Starting in 2021, the DoD began incorporating CMMC requirements into requests for information (RFIs) and requests for proposals (RFPs) for select procurements. In other words, the DoD started including CMMC requirements as part of the evaluation criteria for some contracts.

Over the next several years, the DoD plans to continue incorporating CMMC requirements into more contracts. The specific timeline for the rollout of CMMC requirements will vary based on the type and scope of the contract. The DoD has stated that it will begin to include CMMC requirements in new agreements as soon as Q1 2025.

While full implementation of CMMC 2.0 will not be completed until 2028, this does not mean that DoD contractors and subcontractors can wait another year or two before concerning themselves with the order.

In addition, it is very likely that proposals by contractors and subcontractors will be evaluated based on their level of compliance with CMMC 2.0 Level 2 practices—certainly when the phased implementation begins soon. Indeed, Kiteworks is already finding that some DoD contractors are evaluating proposals from subcontractors based on CMMC 2.0 compliance. (See Table 2 for a quick timeline for CMMC.)

Table 2. Key milestones on the CMMC timeline.

CMMC Certification Process and Timeline

The CMMC certification process is typically arduous for most organizations, requiring time, money, and manpower. The process nevertheless favors organizations that are organized, focused, and nimble. The following list provides an overview of the CMMC certification process:

Prepare for CMMC Certification

Before a company can pursue its CMMC certification, they must understand the fundamentals and the requirements of the CMMC framework. Also, they must assess their current security posture against the requirements of the CMMC standard and identify any gaps.

Assign a Champion for CMMC Certification

Organizations must designate a champion to lead the process of securing CMMC certification. This champion should have the authority and responsibility to manage the entire process and drive it from start to completion.

1. Develop a Plan for CMMC Certification

A thorough plan should be in place that outlines the timeline for achieving certification. This plan should cover all activities, from mapping their system environment to CMMC requirements to training their personnel.

2. Perform Self-assessment for CMMC Certification

Organizations must perform a self-assessment to identify any gaps between the current system environment and the CMMC requirements. This will help guide the development of their security program.

3. Implement Required Controls for CMMC Certification

After performing their self-assessment, the organization must implement any required controls to address the gaps identified. This step may include purchasing additional security hardware or software, as well as establishing appropriate policies and procedures.

4. Conduct a CMMC Readiness Assessment

Organizations may need to hire an independent third-party assessor to conduct a readiness assessment to ensure they are prepared for the formal certification process.

5. Obtain CMMC Certification

After the organization has satisfied all of the CMMC requirements, they should complete the certification process and receive their CMMC certification.

6. Maintain CMMC Certification

Organizations must ensure they are continuously and regularly monitoring their systems to ensure they remain compliant with CMMC requirements.

Generally, organizations can expect the process to take approximately 6-9 months, depending on the organization’s resources and the complexity of the system environment. After the initial preparation, the organization should spend 3-4 months mapping their system environment, implementing controls, and conducting a readiness assessment. The certification process should take another 3-4 months, including the assessment, certification, and any necessary remediation. Finally, the organization should plan for ongoing monitoring of their system environment to ensure they remain in compliance.

The costs associated with obtaining CMMC certification vary depending on the size and complexity of the organization. Smaller organizations may be able to keep costs relatively low by relying primarily on internal resources. For larger organizations, costs can range from tens of thousands to several hundred thousand dollars. This includes expenses for hiring a third-party assessor, purchasing new security hardware or software, and providing training for personnel.

Despite the cost, process, and timeline involved in achieving CMMC certification, it is worth the effort, as it can help organizations protect their network and information. CMMC certification also increases an organization’s credibility and trust with their clients, as certified organizations can demonstrate that they are taking information security seriously and are committed to protecting their data. Additionally, obtaining CMMC certification may give an organization a competitive edge in the marketplace, as the certification is becoming increasingly important for organizations seeking to do business with DoD contractors.

Accelerate Your CMMC 2.0 Level 2 Compliance Process With Kiteworks

The CMMC 2.0 framework includes far-reaching practice controls. DoD contractors and subcontractors—certainly those requiring Level 2 accreditation—must seek out CMMC experts that can help aid them on their journey.

Consulting practices like Optiv have the expertise to map Level 2 practice requirements to your existing controls and technology and guide you through the process of remediating POA&Ms and engaging with a C3PAO for assessment and accreditation.

At the same time and as noted above, DoD contractors and subcontractors can accelerate their CMMC 2.0 Level 2 accreditation process by ensuring they have the right sensitive content communications platform in place.

Many organizations admit to using numerous tools when it comes to sending, sharing, receiving, and storing private content like CUI and FCI. For example, Kiteworks found in our Sensitive Content Communications Privacy and Compliance Report that over two-thirds of organizations rely on four or more systems of record. This increases complexity and inefficiencies as well as risk.

Rather than using a disaggregated set of tools for digital exchange of private content like CUI and FCI, growing numbers of organizations—at 3,800 and counting today—use the Kiteworks platform. Because Kiteworks is FedRAMP Authorized, unlike many other solution options in the marketplace, it complies with or partially complies with a higher number of CMMC 2.0 Level 2 practice areas than those competitive options. Rather than demonstrating compliance with around 50% of CMMC practice requirements, DoD contractors and subcontractors using Kiteworks-enabled Private Content Networks benefit from support for nearly 90% of Level 2 requirements out of the box.

DoD contractors and subcontractors looking to surge out of the gate and achieve CMMC 2.0 Level 2 accreditation ahead of their competitors need to take a serious look at Kiteworks. Schedule a custom demo tailored to your needs today.

Additional Resources

• Webinar What Optiv and Kiteworks Recommend for DoD Contractors and Subcontractors for CMMC 2.0
• Guide A Detailed CMMC 2.0 Guide for DoD Contractors and Subcontractors
• Video What Kiteworks CISO Frank Balonis Thinks About CMMC 2.0
• Article What Is Cybersecurity Maturity Model Certification?
• Blog Post What Is CMMC Security Compliance?