While CMMC is still evolving, you will want to ensure your business is up to date on what a CMMC certification is and how its updates affect you.

The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.

What is CMMC? Cybersecurity Maturity Model Certification is a standard that requires Department of Defense contractors to meet certain levels of cybersecurity in order to protect the department’s sensitive data.

CMMC & CMMC 2.0: Cybersecurity Maturity Model Certification

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for safeguarding Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). It is a framework used to assess an organization’s cybersecurity practices and allows the Department of Defense (DoD) to certify that these practices meet the requirements set forth in the NIST SP 800-171. The certification is required for all organizations working with the DoD, as CMMC is designed to protect CUI from cyber threats and ensure that contractors follow the same cybersecurity policies and procedures.

What Is the CMMC Framework?

The Cybersecurity Maturity Model Certification (CMMC) is a streamlined and centralized cybersecurity framework created by the U.S. Department of Defense to support contractors in defense supply chain compliance and security efforts.

Understanding the CMMC framework is crucial for defense contractors as it outlines the necessary cybersecurity standards and practices required to protect sensitive data and ensure compliance. CMMC is designed to enhance the defense sector’s security posture by mandating a tiered cybersecurity framework. This framework is essential for contractors working with the DoD and associated agencies, as it specifies the levels of cybersecurity hygiene and processes that must be implemented based on the sensitivity of the data handled.

Unlike previous regulations that allowed contractors to self-certify their cybersecurity measures, the CMMC framework introduces a tiered system of compliance, ranging from basic cyber hygiene requirements to advanced security protocols, ensuring that all defense contractors meet a baseline of cybersecurity standards to protect both unclassified and controlled unclassified information critical to national security.

Introduced in 2019, the CMMC framework was established to enhance the cybersecurity posture of defense contractors, ensuring they have the required levels of security to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Differing from the previous self-certification process under NIST 800-171 guidelines, the CMMC framework mandates a third-party assessment to validate compliance, answering the vital question of “what is CMMC” by setting a structured benchmark for cybersecurity readiness and resilience within the defense industrial base.

What is CMMC? – Key Takeaways


  1. Understand CMMC:
    CMMC is a DoD-mandated standard for defense contractors to safeguard Controlled Unclassified Information (CUI) against cyber threats.
  2. Migration to CMMC 2.0:
    CMMC 2.0 is a streamlined framework featuring more rigorous controls and procedures.
  3. CMMC Scope and Levels:
    The CMMC framework covers FCI and CUI. CMMC 2.0 comprises three maturity levels, each with specific, increasingly rigorous requirements.
  4. Certified Third-Party Assessors:
    C3PAOs are crucial for evaluating an organization’s cybersecurity practices objectively and ensuring compliance with CMMC.
  5. Preparing for CMMC Certification:
    Utilize the CMMC-AB marketplace to identify reputable RPOs and C3PAOs for audits.

The CMMC framework marks a pivotal shift in how defense contractors ensure cybersecurity compliance. Previously reliant on self-attestations, the CMMC framework introduces a structured model that necessitates third-party audits to verify compliance with cybersecurity standards. This framework is encapsulated in the interim rule Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, integrating CMMC requirements into all defense procurement processes. This transformation underlines the Department of Defense’s commitment to fortifying cybersecurity measures across its supply chain, highlighting the criticality of understanding what CMMC is and its implications for defense contractors.

In November 2021, the DoD unveiled the CMMC 2.0 framework, marking a significant evolution in the cybersecurity standards for defense contractors. We’ll explore in greater detail below the enhancements introduced with the CMMC 2.0 framework.

What is the Scope of the CMMC Framework?

The scope of the CMMC framework covers the security of all Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) stored or handled by a covered contractor’s (organization’s) environment and applies to all activities conducted by the organization. The process and procedures address the security of all areas of the contractor’s organization that process, store, or transmit FCI and CUI, including their networks, systems, personnel, and other assets.

CMMI vs. CMMC: Which One Do Defense Contractors Need?

The Capability Maturity Model Integration (CMMI) is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI helps organizations to improve process performance and integrate organizational processes. It is used across a variety of industries, including aerospace, defense, software engineering, finance, government, and healthcare. CMMI is a framework that defines process improvement stages and assesses the maturity of organizations in six key areas of process implementation: performance, project management, services, support, process integration, and organizational process focus.

The Cybersecurity Maturity Model Certification (CMMC), as we’ve discussed, is a certification created by the U.S. Department of Defense (DoD) to better protect unclassified data that is either processed on or stored on DoD contractor and subcontractor networks. CMMC certification is required for DoD contracts, and it is intended to provide an additional layer of security for sensitive data and information systems. CMMC is designed to address the need for additional security controls for DoD contractors and suppliers handling Controlled Unclassified Information (CUI).

The main difference between the CMMI and CMMC is the purpose of each certification. CMMI is a process improvement approach that is used to improve organizational processes and performance, while CMMC is a security certification intended to protect unclassified data stored on DoD contractor and subcontractor networks. CMMI is a process improvement approach and CMMC is a security certification.

Defense contractors should adhere to both CMMI and CMMC in order to increase the security of their systems and ensure they are compliant with all relevant DoD regulations. CMMI will help contractors better manage and improve their processes, while CMMC will protect their networks and unclassified data. Additionally, CMMC also provides a basis for determining whether a defense contractor is meeting their contractual obligations. By adhering to both CMMI and CMMC, defense contractors can protect their networks, data, and systems and protect their reputation.

What Is CMMC 2.0?

In November 2021, the DoD revised requirements based on feedback from partner organizations and firms undergoing the C3PAO certification process. Their goal with this revision was to streamline the framework to make it less costly and time-consuming for all stakeholders without sacrificing effectiveness.

The proposed changes under version 2.0 include the following:

  • Reducing Maturity Levels From Five to Three: Under 2.0, the new model will only include three maturity levels. Level 1 will still be the minimum to handle FCI and require 17 practices from NIST 800-171. Level 2 will be the minimum level for managing CUI and represents a merger of the original second and third levels with a required 110 total practices. Finally, Level 3 will include 110+ required practices (determined by the needs of the client agency).
  • Only Limited Requirements for C3PAOs: Rather than require a C3PAO for all contractors, version 2.0 only requires a triannual third-party audit for certification at Levels 2 and 3. Contractors seeking Level 1 certification (and a limited number of those seeking specific Level 2 certifications) can opt for annual self-attestation.
  • Plan of Action and Milestones: Some other frameworks included the option for audited contractors to submit a POA&M at the end of their audits. Suppose their auditor determined that the contract was not fully compliant but could be compliant in a reasonable time frame with relatively simple changes. In that case, they could authorize the contractor with a completed and binding POA&M. CMMC 1.0 did not allow this approach—the contractor had to be fully compliant to receive certification. Under version 2.0, the DoD will allow for POA&Ms under certain conditions.

The CMMC 2.0 model is currently just a publication and undergoing review and rulemaking processes. It is expected to finish that process in 9–24 months. In the meantime, the CMMC-AB still honors and operates under version 1.0 audits and certifications.

What Is a Certified Third Party Assessor Organization?

The other major update from CMMC 1.0 is the requirement of a third-party assessment through a Certified Third Party Assessor Organization (C3PAO).

C3PAOs are critical security firms in defense cybersecurity that have received accreditation from the CMMC Accreditation Body (CMMC-AB) to provide audits of defense contractors. Any organization familiar with other security frameworks like FedRAMP  will immediately recognize this process. CMMC borrows some of its auditing process from the same documents, namely NIST 800-53 and FIPS 140-2.

One of the drawbacks to working with a C3PAO is that they cannot also serve as a consultant with your organization. That’s why there is a secondary designation under regulations—the Registered Provider Organization. An RPO can provide consulting, recommendations, and advice to clients who are preparing for their compliance journey. The same security firm can never serve as both an RPO and a C3PAO for a single organization.

Best Practices for CMMC Certification

The following are just a few best practices to help defense contractors pursue the CMMC certification process:

  • Use the Marketplace: The Cyber AB website includes a marketplace for both RPOs and C3PAOs (even those currently undergoing their own certification). Always select potential partners from this site, a real, authenticated, and legitimate source for reputable security firms in this market.
  • Work With Compliant Technology: More likely than not, businesses work with some cloud provider, managed service provider, or file management vendor as part of their operations. Maintaining compliance requires that companies vet their vendors and only work with those who have or can support certified technology.
  • Work With an RPO: Don’t make things harder than they need to be. While a C3PAO can help with your audit, an RPO can help prepare for that audit in ways a C3PAO can’t. Look into RPO and CMMC advisory services as you start with compliance efforts.
  • Get Ready for Version 2.0: If you are already working through CMMC now, then you will receive certification under regulations and be grandfathered into CMMC 2.0. The DoD is already preparing for that transition, but in the meantime it is best to know now what your obligations will be under a new framework.

The CMMC Framework: Critical Compliance for National Defense

The CMMC framework, or Cybersecurity Maturity Model Certification, is an essential component for any contractor within the defense industrial base supply chain, ensuring that their technology, processes, personnel, and overall operations adhere to stringent cybersecurity standards. CMMC should be viewed as (much) more than a regulatory hurdle; it embodies a comprehensive security protocol that enhances a business’s cybersecurity defenses, resources, and maturity. Achieving compliance with the CMMC framework not only fulfills a critical requirement but also significantly bolsters a business’ cybersecurity posture, securing its position within the defense sector’s supply chain.

The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP, managed file transfer, and next-generation digital rights management solution so organizations control, protect, and track every file as it enters and exits the organization.

Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box. As a result, DoD contractors and subcontractors can accelerate their CMMC 2.0 Level 2 accreditation process by ensuring they have the right sensitive content communications platform in place.

With Kiteworks, DoD contractors and subcontractors unify their sensitive content communications into a dedicated Private Content Network, leveraging automated policy controls and tracking and cybersecurity protocols that align with CMMC 2.0 practices.

Kiteworks enables rapid CMMC 2.0 compliance with core capabilities and features including:

  • Certification with key U.S. government compliance standards and requirements, including SSAE-16/SOC 2, NIST SP 800-171, and NIST SP 800-172
  • FIPS 140-2 Level 1 validation
  • FedRAMP Authorized for Moderate Impact Level CUI
  • AES 256-bit encryption for data at rest, TLS 1.2 for data in transit, and sole encryption key ownership

Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, HIPAA, CMMC, Cyber Essentials Plus, IRAP, and many more.

To learn more about Kiteworks and CMMC certification, schedule a custom demo today.

Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo