Expert Guidance for Cyber Resilience & Risk Readiness
The U.S. Department of Defense (DOD) had long required contractors to implement the cybersecurity controls outlined in NIST Special Publication 800-171, but compliance was based on self-attestation, and the implemented controls were inconsistent across the Defense Industrial Base (DIB).
So, the DOD introduced the Cybersecurity Maturity Model Certification (CMMC) as a tiered, third-party certification model to verify that defense contractors are applying proper cybersecurity practices to safeguard sensitive information across the defense supply chain. It ensures accountability by requiring organizations to undergo formal assessments and obtain certification at a maturity level appropriate to the sensitivity of the information they manage, e.g., Federal Contract Information (FCI) at Level 1 and Controlled Unclassified Information (CUI) at Level 2 and 3.
This pivotal change signifies that cybersecurity isn’t just an IT issue anymore but a core component of contractor eligibility and performance. Contractors that fail to obtain and maintain the required CMMC certification level will be ineligible to receive or renew contracts that involve handling FCI or CUI. This will affect all tiers of the supply chain, including subcontractors.
The implications include:
- Eligibility restrictions: Bidders without appropriate certification will be disqualified from participating in DOD procurements.
- Increased due diligence: Prime contractors will need to ensure subcontractor compliance to maintain overall supply chain security.
- Resource commitments: Contractors will need to invest in policies, tools, staffing and documentation to achieve and sustain compliance.
Build Compliance, Contract Readiness, and Cyber Resilience
The CMMC Final Rule ultimately enhances national security by improving cyber resilience across the DOD supply chain. Contractors who proactively adopt these standards will position themselves as trusted, reliable partners for DOD contracts. In the meantime, here are a few actions to take in preparation for the certification process:
- Determine Your Required CMMC Level: Assess the types of information you handle and determine the level of CMMC certification required for your contracts.
- Budget for Certification Costs: The Final Rule has cost implications, so ensure your budget accommodates CMMC compliance.
- Start Now: CMMC certification can take months to achieve due to strict cybersecurity requirements and the expected near-term shortage of third-party assessors.
CMMC Levels Overview
CMMC has three maturity levels of compliance, determined by the type of information your organization handles.
LEVEL 1: Foundational
- Who It Applies To: Organizations handling Federal Contract Information (FCI) only.
- Requirements: Meet 17 basic cybersecurity practices aligned with FAR 52.204-21
- Assessments: Annual self-assessment of compliance and security practices.
LEVEL 2: Advanced
- Who It Applies To: Organizations handling Controlled Unclassified Information (CUI).
- Requirements: Meet the 110 security controls specified in NIST SP 800-171.
- Assessments: Assessments conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs) every 3 years OR a self-assessment for select programs every 3 years.
LEVEL 3: Expert
- Who It Applies To: Organizations working with CUI and facing Advanced Persistent Threats (APTs).
- Requirements: Must comply with both 110 NIST SP 800-171 security controls and an additional 24 enhanced security controls from NIST SP 800-172.
- Assessments: Third-Party Assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Detailed information about CMMC can be found at the DOD website.
Structured’s Roadmap To CMMC Compliance
CMMC certification is not a one-time milestone; it is an ongoing pledge to safeguard the future of national defense. Before pursuing a formal CMMC certification audit, prime contractors and subcontractors in the DIB should spend time developing a compliance strategy and engaging with a Registered Practitioner Organization (RPO) authorized by The Cyber AB, such as Structured. Our pre-assessment services reduce the risk of audit failure, build confidence across stakeholders, and provide a clear roadmap to final certification. Structured makes compliance achievable for DOD contractors with RPO services that include:
CMMC Readiness Assessment
We evaluate your readiness for CMMC certification and identify specific areas for improvement so that you can achieve certification and protect your contracts.
- Certification audit pre-assessments
- Gap analysis
- CUI and FCI discovery and flow identification
Remediation Planning
We assist in developing and implementing a remediation plan, addressing each gap in your cybersecurity program.
- Configuration weakness identification
- Documentation: System Security Plan and Policies
- Architecture design and equipment recommendations
Ongoing Compliance Support
We offer continuous support to help your organization maintain compliance between certifications, ensuring readiness for future assessments.
- Documentation review
- Risk and vulnerability management
- Control validation
Risk Assessment and Testing
We rigorously test the external infrastructure, internal network environment, applications, and end users for susceptibility to exploitation.
- Risk assessments
- Vulnerability scans
- Penetration testing
CMMC Confidence Starts Here
The path to CMMC certification can be complex and time-consuming, but you don’t have to navigate it alone. As a Registered Practitioner Organization (RPO) listed on The Cyber AB CMMC Marketplace, Structured can help you simplify and streamline the path to compliance. Our team is here to provide expert guidance, proven methodologies, and tailored support to help you confidently prepare for CMMC certification.
Start your CMMC compliance journey today. Contact Structured for trusted CMMC compliance services.
Answers to Your Frequently Asked Questions
Who needs to be CMMC certified?
All companies within the Department of Defense (DoD) supply chain that handle government information must obtain the appropriate CMMC certification level.
What are the different CMMC levels?
The DOD introduced CMMC as a tiered, third-party certification model to verify that defense contractors are applying proper cybersecurity practices. It ensures accountability by requiring organizations to undergo formal assessments and obtain certification at a maturity level appropriate to the sensitivity of the information they manage, e.g., FCI at Level 1 and CUI at Level 2 and 3.
How do I know what CMMC level my business needs?
The level of CMMC certification your business needs depends on the type of information it handles and the requirements of your DoD contracts. Companies that work with Federal Contract Information (FCI) generally need Level 1 certification, which focuses on basic safeguarding practices. Those that handle Controlled Unclassified Information (CUI) require Level 2 certification, which aligns with NIST SP 800-171 standards for more advanced security. In rare cases, contractors involved in critical national security programs may need Level 3 certification, which adds enhanced cybersecurity controls. The specific level required will typically be outlined in your contract under the relevant DFARS clauses.
Can we still bid on DoD contracts without certification?
Yes, businesses can still bid on DoD contracts without CMMC certification during the early phases of the program rollout. However, to be awarded a contract that includes CMMC requirements, the business has to meet the specified certification level before contract performance begins.
Get In Touch
Staying Compliant
Navigate the CMMC Final Rule and Protect Your Valuable DOD Contracts
By Rob Wayt, Structured GRC Director, CISSP-ISSEP (#309964), CMMC-AB RP, QSA, CISA, CISM, CRISC, CEH, HCISPP — The Cybersecurity Maturity Model Certification (CMMC) Final Rule will take effect on December…