5 Essential Tips to Meet CMMC Requirements


Zac AmosFeatures Editor at ReHack

Friday, January 20, 2023

Cybersecurity outfits already have to obtain a medley of compliances. Still, if you’re a company seeking to work as a government contractor, CMMC is another one to add to the list.

Article 4 Minutes
5 Essential Tips to Meet CMMC Requirements

As assessments begin, it’s critical to know how to meet CMMC requirements to pass on the first try. Meeting these requirements will not only further verify a company’s knowledge, but it will solidify competitive advantage.

What is CMMC compliance and why is it important?

CMMC represents the Cybersecurity Maturity Model Certification. The United States Department of Defense (DoD) requires it to become a Defense Industrial Base (DIB) contractor. CMMC is in its second revision and officially beginning to administer assessments for official compliance.

CMMC aims to test analysts’ capabilities to protect controlled unclassified information (CUI) and federal contact information (FCI). It requires them to intimately understand the regulations for protecting government information based on its designation. Because FCI should never reach the public and CUI needs safeguarding — though it could be distributed — it tests contractors’ abilities in multiple avenues, not just defense.

The original compliance certification for contractors was the Defense Federal Acquisition Regulation Supplement (DFARS), but critiques have caused it to evolve into CMMC for a more comprehensive and inexpensive protocol. It’s also easier to verify how well contractors adhere to it over time with stricter requirements and more frequent evaluations — aspects the DFARS didn’t contain as thoroughly.

Because the DoD is making CMMC a blanket requirement, it means if a company doesn’t have compliance, it won’t be able to bid for government contracts. If it chooses not to become CMMC compliant, it must search for other vectors for stability.

Registering now is critical because there are perks to adopting CMMC early. The final documentation won’t be released until 2023 or 2024, but it doesn’t stop companies from lining up and beginning inspections.

What tips are there for meeting CMMC requirements?

The framework is still under construction, meaning some aspects are still up in the air. However, there is enough information out there to create a strategy now.

1. Know the levels

There were five levels in the first write-up of CMMC compliance, but now there are only three. They are distinct in their purpose and knowing them beforehand will help the process go smoother:

  • Level 1: Primarily contains self-assessment concerning how well contractors commit to cybersecurity education, with confirmation from another internal representative.
  • Level 2: Primarily contains third-party assessment from CMMC Third Party Assessment Organizations.
  • Level 3: Primarily contains government assessments — the specifics are still under evaluation.

Not every DIB outfit will need every level, so familiarize yourself with what effort you’ll have to make for your purposes. Based on your goals, you can determine the gaps in knowledge and strategy your organization has based on the requirements for each level and begin taking action.

2. Get an interim assessment

Interim assessments happen before the official certification assessment process. These began as a response to the cybersecurity crisis — the demand for compliance and protection of government information is high. Therefore, urgency increased.

Receiving an interim assessment could provide incentives which they are still solidifying. Early interim assessment-takers will also be honored three years after the final rule is published, meaning companies could hold onto compliance longer than standard.

3. Familiarize yourself with NIST 800-171

One unintentional incentive is the test may be more straightforward if performed early. Since the compliance requires NIST 800-171 knowledge to pass, CMMC assessment ties to the most recent version of NIST 800-171 — revisions to NIST 800-171 in the future could make the exam more challenging. Following NIST 800-171 is the cornerstone of implementing necessary security controls and passing the audit.

4. Create POAMs and know the deadlines

The official deadline has yet to be determined because the draft still needs completion. However, another deadline to keep an eye out for is remediation. The assessment process permits recovery from mistakes with a Plan of Action and Milestones (POAM).

If you fail, they will guide how to improve and ask organizations to outline how they plan to fix issues. Improvements and reevaluation must happen within 180 days of that decision to progress through the rest of the steps.

5. Keep records of everything

Providing documentation to your assessors will make the process happen more seamlessly. It doesn’t matter what the documentation is — it could be risk assessment strategies, a system security plan or what training employees received to become more qualified. Regardless of whether CMMC requirements explicitly require it doesn’t matter because every bit of information helps inform assessors of your qualifications.

Obtaining CMMC compliance is essential

There appears to be a lot of time to adjust operations to meet requirements and get assessments in before the deadline, but it’s not as much time as it looks. The process is thorough and time-consuming, so the best time to start is now.

When it comes to CMMC compliance, early adopters obtain an industry advantage. If you ensure contractors have up-to-date knowledge in the cybersecurity sector, you will meet CMMC requirements for compliance which is crucial for success.

Zac Amos

Features Editor at ReHack


As the Features Editor at ReHack, Zac Amos writes about cybersecurity and the tech industry.


Join the conversation...