CMMC Consulting for DIB Companies

FirstCall Consulting a Global Leader in Cybersecurity and Compliance
Get a Free Consultation Now

“Cybersecurity is foundational. It can not be traded off for cost, schedule or performance”

Katie Arrington the “Mother of CMMC”

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the new standard for awarding Department of Defense (DoD) contracts. This new standard was put in place after a 2017 audit revealed that barely 60% of Department of Defense (DoD) contractors were compliant with DFARS clause 252.204-7012. In fact, the title of the audit report was, “Alarming Industry Trends Reported in DFARS Cybersecurity Compliance.”

As a stopgap measure, the DoD published an interim rule in September 2020 that required Defense Industrial Base (DIB) contractors to become CMMC compliant. This rule outlined the basic features of the framework, and became effective on November 30th, 2020 establishing a five-year phase-in period for all DoD contractors, with every contract requiring some level of CMMC by 2025. These requirements became known as “CMMC 1.0.”

CMMC 1.0 required all companies to undergo an external audit by a CMMC Third-Party Assessor Organization (C3PAO). This version had a 5-layer model with a differing number of controls at each level. Similar to version 2.0, the levels were dependent upon what kind of Controlled Unclassified Information (CUI) they came in contact with.

Here is a quick breakdown of the 5 levels from CMMC 1.0:


Level 1

17 Practices/ Controls (All from NIST 800-171)


Level 2

72 Practices/ Controls (65 controls from NIST 800-171)


Level 3

130 Practices/ Controls (110 from NIST 800-171)


Level 4

156 Practices/ Controls (110 from NIST 800-171)


Level 5

171 Practices/ Controls (110 from NIST 800-171)

CMMC 2.0

On November 4th, 2021, the DoD released CMMC v2.0 because of an internal review of CMMC 1.0’s implementation that exposed some shortcomings. The review was informed by more than 850 public comments in response to version 1.0. There is a lot of controversy among stakeholders regarding these changes, as some believe these revisions remove the teeth of the regulations and relax requirements too much, while others applaud the DoD for helping small businesses with the cost of compliance.

Here is a breakdown of the new levels: 

Organizations seeking Level 1 compliance must perform 17 “Basic Cyber Hygiene” practices, which are the same controls as version 1.0. The types of companies that will need Level 1 certification are small companies who do not come in contact with Controlled Unclassified Information (CUI), but do have to safeguard Federal Contract Information (FCI).

In fact, the practices in Level 1 are focused on safeguarding FCI, and are things that organizations should be doing anyway, like having complex passwords or locking your doors when you leave the room, to name a few examples.

Following the changes in CMMC v2.0, organizations at this level will no longer be required to pass a third-party audit. Instead, organizations will be allowed to submit an annual self assessment that must be signed off by a high level executive to attest their organization is compliant.

CMMC Level 2, Advanced, replaces the 130 controls found in CMMC v1.0 level 3, with the 110 controls found in NIST 800-171. A majority of companies at this level will most likely be required to pass an external audit. However, a subset of companies will be allowed to perform self-assessments and have a Plan of Action & Milestones (POA&M) in place to address any gaps. They can also apply for a waiver if necessary, and more information will become available as they continue the rulemaking process.

This level is still in development, but it is most closely related to Level 5 in version 1.0. This level will encompass all 110 controls seen in NIST 800-171, as well as additional controls from 800-53 that will be announced at a later date. No companies at this level will be allowed to self-assess, instead they will be required to have an external audit conducted every 3 years by the DoD, not a C3PAO.


Unlike version 1.0, the DoD is allowing all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments. 

Although there will undoubtedly be more changes as the DoD further refines CMMC, one thing is certain to remain constant, NIST 800-171 compliance. The majority of companies are going to fall into Level 2 or 3 of v2.0 and therefore will be required to be validated by external audit by a C3PAO or the DoD. Not to mention that NIST 800-171 compliance is already currently mandated in all DoD contracts by DFARS 7012.

The CMMC is in essence an extension of DFARS 7012, that adds an external audit requirement for most companies, and additional controls for certain companies that handle critical CUI.

What is DFARS?

DFARS were created in December of 2015 by the DoD to require all contractors to maintain the cybersecurity standards of NIST SP 800-171. These standards were made in order to protect CUI, and gave all contractors until December 31st, 2017 to meet the requirements. There are four main DFARS clauses, DFARS 252.204-7012, 7019, 7020, and 7021.

Both DFARS and CMMC require companies to be NIST 800-171 compliant, but CMMC adds some additional controls to a small percentage of companies handling critical CUI. While DFARS allows all companies to self-attest their compliance, CMMC will require a majority of companies to be audited by a third party, either a C3PAO or the DoD itself.

Both current versions of the standards allow companies to have a POA&M in place to address any gaps in their compliance, which is a reversal from v1.0 which required certification at the time of contract award. With the new standards, companies will have approximately 180 days to shore up their security.

The Clock is Ticking

Our CMMC consulting services and managed services are the best way to ensure you and your entire supply chain’s cyber security is prepared for CMMC assessments. Contact us today to ensure CMMC compliance.

Nov 07 2022

Cybersecurity Awareness is Just the Beginning

Readers are likely aware of some of the headline-grabbing cyber attacks in recent years–WannaCry, SolarWinds and Colonial Pipeline, just to name a few. But what about...
Sep 19 2022

Clean Data: Key to the Future of Cloud ERP

As we move further into the 21st century, more and more businesses are making the switch to cloud-based ERP systems. This is in part due to the many advantages that...
May 17 2022

Why agility is important for your people, processes, and technology

Companies need stability to achieve consistent profits. Markets are not always stable, but it’s easy for businesses when there isn’t much uncertainty about...
May 17 2022

5 Things to Avoid While Practicing Organizational Agility

Small to medium-sized businesses (SMBs) have always had to work harder than their larger counterparts to survive. This is especially true during times of crisis, such...
May 17 2022

 Making the Case for Agility: Why SMBs Need to Be More Agile

The last few years have been a perfect example of why agility is so important for SMBs. The global landscape has changed drastically, and businesses that were not able...
May 17 2022

What Organizational Agility Means for the Modern Workplace?

In the business world, things are always changing. Customers' needs and wants to evolve, technology advances, and competitors enter or leave the market. To stay ahead,...
Apr 19 2022

Sustainable Scaling: Achieving Balance in Business

The world is changing at a record pace and the landscape of business has been irrevocably altered as well by shifting customer preferences, new technologies and...
Apr 18 2022

Embracing the Future with Sustainable Thinking

Sustainable thinking is about more than just recycling and using renewable energy. It means laying the groundwork for future employee and customer growth. An...
ECC to Business Suite to S4 Hana to Hana Cloud
Jan 18 2022

The Real story of ECC to Business Suite to S4 Hana to Hana Cloud

Oh my, the sky is falling and SAP says ECC support is due to expire in 2025(See the note: 1648480). While no one, including the big wigs in Waldorf, can say with...
Jan 18 2022

6 Things to consider before an ERP upgrade

As the saying goes “the only constant thing in life is change”. We change our shoes, our jobs, even our relationships. In business knowing when is the right time for...
Share This