What is the CMMC program?

If you’re a small business getting started with defense contracting, you might have heard of the Cybersecurity Maturity Model Certification (CMMC) program. This program establishes and certifies cybersecurity requirements for companies doing business with the Department of Defense. In this article, you’ll learn the basics of the CMMC program, why it’s important, and how it impacts getting government contracts in the future.

CMMC assessments

What is cybersecurity and why is it critical?

In this section, we’ll go over the basics of why having good cybersecurity hygiene is important. Cybersecurity refers to actions and best practices that keep information and systems safe from digital attack. Leaving digital information vulnerable can have far reaching consequences for your business, your customers, and national security. This is because information stored in networks and other digital spaces has value, and is dangerous in the wrong hands. Therefore, it’s crucial to be proactive in protecting it.

In addition, potential losses your business may encounter in a data breach could be:

  • Loss of data
  • Financial consequences
  • Loss of customer trust and business
  • Physical damage
  • Downtime and other scheduling delays

Next, we’ll go over the group affected by these requirements, or the Defense Industrial Base.

What is the Defense Industrial Base (DIB)?

The Department of Defense relies on businesses across industries to develop, manufacture, and transport goods and services so the DoD can perform its tasks. To clarify, the DIB includes businesses large and small that contract with the DoD to provide this support.

Businesses in the DIB have to handle information that needs to be kept secure. Moreover, the level of security has to be balanced according to the risk associated with the data or system without stopping people from getting their jobs done.

What does the CMMC program do?

The DoD created the CMMC program in September 2020 to ensure DIB partners can meet a standard set of cybersecurity requirements. This is to protect information the DoD shares with its business partners.

Requirements set out in the CMMC depend on a tiered model based on how sensitive the information is. Also, it includes assessments and certification to prove a company is meeting the required tier. The first tier is for basic security and the second for advanced. Finally, the third level is for the most sensitive data. Therefore, it will have the strongest, most secure requirements for processing, sending, and storing data.

In addition, the CMMC program covers contractors working with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), not classified information and systems. It also applies to subcontractors, although in some instances a subcontractor may not have to meet the same requirements as the contractor depending on the information they need access to.

CMMC compliance assessments

Now, we’ll go over how the DoD is planning to see if companies are meeting the CMMC requirements. To do this, the company, a third party, or the government conducts assessments depending on the tier. The assessments determine if the company’s digital security practices are meeting the appropriate tier requirements. Companies meeting the first tier requirements must conduct yearly self-assessments.  If a company needs a third party assessment, the company will be responsible for setting it up and getting the required certification every three years.

Third parties running the assessments will need to be accredited and listed on a market by the CMMC Accreditation Body (Cyber AB). The market will help connect CMMC Third-Party Assessor Organizations (C3PAOs) with businesses and make sure that the people checking for CMMC compliance are doing the assessments correctly.

Updates to CMMC

cmmc v2

The DoD is in the process of changing the CMMC 1.0 to 2.0 using information from the public and an internal review to ensure following it isn’t a burden on small businesses.

Some of the changes made include:

·         making assessments more accessible

·         changing from five tiers to three

·        waiving requirements in limited cases

·         aligning with standards set out by the National Institute of Standards and Technology (NIST)

When the updates to the CMMC program are complete, companies contracting with the DoD may need to follow the rules set out by the CMMC 2.0. The required tier will be specified in the solicitation.

CMMC compliance and small businesses

Most contracts with DoD already have some cybersecurity requirements in place specified in FAR Clause 52.204-21 and DFARS Clause 7012.

Contractors with the DoD that meet certain requirements must be CMMC 2.0 compliant in order to be awarded a contract once the program has been fully updated. The DoD has recommended that contractors proactively improve their digital security efforts while the updates are being completed.

In addition, some critical steps to focus on when improving your company’s cybersecurity are:

  • Run security updates when they’re available
  • Set up multi-factor authentication for users
  • Limit access to only the people who need it
  • Educate your workers on cybersecurity best practices


In conclusion, many small businesses don’t have the resources to tackle getting CMMC 2.0 compliant on their own. The process involves a lot of steps including conducting risk assessments and training your workers. Additionally, it can also include running gap assessments and setting up the necessary IT equipment and software. Therefore, businesses with limited IT support will likely have to get outside help to work through the complexities of getting CMMC compliant.

Where can I get help with CMMC compliance?

Priority Defense specializes in helping small to medium-sized businesses with understanding and meeting CMMC requirements, getting licenses and certification, conducting gap assessments, and more. Feel free to reach out to us with your questions about the CMMC program and how it affects your business.

Download our FREE Self-Assessment Workbook

Stay up-to-date!
Get insights and tips from experts