<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Dave Bykowski

By: Dave Bykowski on November 15, 2022

Print/Save as PDF

What Is CMMC 2.0 Compliance?

Cybersecurity | Compliance

If your organization relies on business with the Department of Defense (DoD), you may need to ensure that your IT infrastructure can pass a third-party assessment for cybersecurity readiness soon as part of the requirements for CMMC 2.0 compliance.

CMMC (Cybersecurity Maturity Model Certification) compliance will determine your eligibility to compete for government contracts. Version 2.0 is the latest iteration. Wondering what it requires and how you can become compliant? I can help.

I’ve worked in IT for more than 15 years. In my current assignment at Kelser, I focus on cybersecurity. I work with customers to evaluate and mitigate their cybersecurity risk through the implementation of the controls listed in NIST 800-171, which form the basis for CMMC 2.0, as well as internal policies and procedures

In this article, I will explain what the CMMC 2.0 framework contains, who needs to comply, what compliance entails, and the steps you can take now to position your organization for compliance with the new standard. 

What Is CMMC 2.0?

The DoD first introduced a Cybersecurity Maturity Model Certification framework (known as CMMC) in 2019. 

CMMC 1.0 followed in early 2020, but small and medium-sized businesses quickly objected to the complexity of the framework and assessment process outlined in CMMC 1.0. 

As a result, the CMMC guidelines are being refined, and CMMC 2.0 is the latest iteration of this framework. It is expected to be fully implemented by 2025 (with indications that it may be operational to some degree before then, possibly as early as 2023).

In every form, CMMC is designed to protect information shared within the U.S. Defense Industrial Base (DIB) and the contract information necessary to produce the parts, systems, and components needed for national defense. 

The main goal throughout all of the CMMC iterations is to validate the safeguards and practices that ensure basic cyber hygiene and the protection of federal contract information (FCI) and controlled unclassified information (CUI), within the supplier and partner networks of the DIB.  

What Does CMMC 2.0 Require For Compliance? 

CMMC 2.0 provides a framework for assessing the compliance of government contractors and subcontractors to the requirements outlined and the preparedness and ability of those organizations to handle cyber threats. The assessments will also evaluate how well organizations integrate cybersecurity into their culture

There are three levels of certification identified in CMMC 2.0:  

  • Level 1 - Foundational

This level of certification, which requires an organization to annually self-assess and self-attest, is restricted to partners or suppliers that only work with FCI.

  • Level 2 - Advanced 

This certification, which requires assessment by a certified, third-party assessment organization (or C3PAO) every three years, is for organizations that handle CUI.

  • Level 3 - Expert 

This certification, which also requires a government assessment every three years, is reserved for organizations that work with CUI on the DoD’s highest priority programs.

Each level builds on and includes the requirements of the lower level(s). 

Generally speaking, partners or suppliers that ONLY produce off-the-shelf commercial products will likely not require CMMC certification

What Are FCI And CUI? 

FCI and CUI are classifications of information. Here's how each is defined: 

  • FCI

Federal Contract Information (FCI) is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

  • CUI

According to the National Archives, CUI or Controlled Unclassified Information is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

This infographic from the National Archives CUI Program Blog helps define FCI, CUI, and public information:

According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, "If a DIB company does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1."  

How Do I Know If I Handle FCI or CUI?

I’ll provide some guidelines below, but the best way to determine if you handle FCI or CUI is to look at your existing contracts and subcontracts. If you aren’t sure, ask your partner!


Want to know more about cybersecurity? Check out this FREE eBook to find out 10 actions you can take to improve your organization's cybersecurity.Download My Cybersecurity eBook


When Will CMMC 2.0 Compliance Be Required By Contracts?

According to the DoD CMMC FAQ page, “CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.”

The general industry expectation is that CMMC 2.0 will be fully implemented by 2025 (with indications that it may be operational to some degree before then, possibly as early as 2023).

What If We Don’t Comply With CMMC 2.0? 

A failed CMMC assessment could potentially lead to lost contracts, loss of revenue, and even business closure.

Can I Do Anything In The Meantime To Prepare? 

In 2020, the DoD published an interim rule (DFARS Case 2019-D041) specifying that suppliers of high-level defense manufacturers must document assessment action toward compliance with NIST 800-171.

The controls identified in NIST 800-171, related to the protection and distribution of sensitive material, are identical to those required in a CMMC assessment. 

Implementation of the NIST 800-171 controls is necessary for compliance with both current requirements and the practices to be assessed in CMMC.

Since NIST 800-171 compliance can take months to achieve (depending on your current cybersecurity posture) implementing NIST 800-171 now will put your organization in a better position for CMMC 2.0 compliance. 

Read this article to learn everything you need to know about the 14 CMMC control families, 3 certification levels and what they mean for you

What Can I Do Today To Prepare For CMMC 2.0? 

After reading this article, you know what CMMC is, the three levels of certification, and the ramifications of noncompliance. You understand FCI and CUI and how to determine if you handle it. You also know when CMMC is expected to be incorporated in contractual requirements and the 14 CMMC control families which mirror those required in NIST 800-171. 

You may be wondering where you go from here. Since NIST 800-171 is already required and is the basis for CMMC 2.0 requirements, align your organization to the NIST framework first. This could take several months to implement and integrate into your company culture. 

The best practice would be to start tackling NIST now. Address gaps. Find the best practices. Remediate as necessary. Test. Reassess. 

Some organizations will have all the resources they need to handle NIST and CMMC compliance. Others may not. If you find that your organization could benefit from help, evaluate several providers so that you are sure to get the one that is the right fit for you

No matter what IT support you need, it’s always a good idea to compare a few potential support organizations. We take this advice so seriously, that we’ve already done some of the legwork for you. Check out this honest, head-to-head comparison of the offerings of Walker and Kelser

The truth is, IT organizations have different strengths. We know that and by comparing publicly available information, we save you time you would have spent scrolling through both websites to do it yourself.  

Rather than hype our managed IT support services, we prefer to spend our energy publishing honest, informative articles about IT issues that business leaders like you need to know about, whether we work together or not. 

If though after reading these articles, you find yourself wondering about managed IT support, read this article to find out what managed IT support is, what’s included, and how much it costs. For more unbiased articles on a variety of relevant IT topics visit our learning center.

Or, if you’ve decided to pursue managed IT support and would like to talk to a person, click on the button below, enter your contact information and one of our qualified IT experts will contact you within 24 hours (often much sooner). 

Schedule A Call

About Dave Bykowski

Dave Bykowski is Kelser's manager of information security and compliance. Dave's multiple certifications and nearly two decades of industry experience help him guide businesses in their journey towards cybersecurity and compliance.

Suggested Posts

Visit Our Learning Center