10 Questions with a CMMC Registered Practitioner

Answers to CMMC Certification Questions 

Q: Can you give us a 20-second reset of what CMMC is? 

A: In 2019, the DoD began a lengthy process for beefing up security for every company in its supply chain via the Cybersecurity Maturity Model Certification (CMMC) standard. In all, about 300,000 companies face new cybersecurity compliance rules if they want to keep winning contracts from the Pentagon and its prime contractors. But, as you might expect from a massive new government program, confusion and controversy have dogged CMMC’s rollout. 

In the latest move, CMMC 2.0 arrived in November with numerous adjustments handed down by the CMMC Accreditation Body (CMMC-AB). 

Q: Let’s start with timeline. How soon do companies need to comply with CMMC? 

A: No one really knows at this point, but no deadlines are looming. The DoD originally said some level of CMMC requirement would appear in all of its contracts by 2025. But with the release of CMMC 2.0, all of that is up in the air again. The DoD is diving into an open-ended “rulemaking process” and has dropped plans to include CMMC requirements in upcoming contracts. One thing we’re hearing is that the DoD may offer incentives to companies that voluntarily adopt CMMC guidelines, which sounds like an effort to motivate some early adopters. 

Q: What prompted the revisions to CMMC? 

A: The private sector pushed back heavily on the regulatory burden imposed by CMMC’s complexity. The new release makes the whole program simpler and, frankly, leaves a lot of lingering questions about how much will ever be required for DoD contractors. The DoD is making flexible implementation a key factor in the CMMC revisions. 

Q: Have CMMC levels changed under the new plan? 

A: Yes, they’ve been simplified. CMMC 1.0 included five levels that a vendor could be required to meet under any given DoD contract. CMMC 2.0 cuts the original five levels down to just three. This chart from the official federal CMMC site shows how the new levels compare to the old ones: 

Q: Does CMMC 2.0 still require a third-party certification of security practices? 

A: That’s one of the biggest changes in the new release. Under CMMC 1.0, every level required assessment by an approved third-party. But CMMC 2.0 dramatically reduces the requirements for third-party assessments. Companies pursuing contracts with a Level 1 requirement can now submit a self-assessment. At Level 2, some contracts will require third-party assessment. These moves are clearly designed to address industry complaints about increasing compliance regulations. At Level 3, the DoD intends for government assessors to review the security standards of contractors handling the most sensitive information. 

Q: So the government will mostly take companies at their word regarding their security programs? 

A: You can still plan on some oversight, even when self-assessment is allowed. Companies that knowingly falsify their reporting may, for example, face false claims lawsuits from the Department of Justice. 

Q: Does the new approach allow remediation plans? 

A: Yes. In another concession meant to ease the compliance burden on companies, CMMC 2.0 lets companies achieve certification while still pursuing a Plan of Action and Milestones (POA&Ms) to fix any shortcomings. This eliminates the pass/fail nature of CMMC 1.0. In some circumstances, the DoD says it will even let companies apply for CMMC waivers. 

Q: How have the actual controls changed? 

A: CMMC 1.0 included a significant number of CMMC-specific requirements. Those are gone in version 2.0. Level 2 now mirrors the widely used NIST SP 800-171, and Level 3 will be based on a subset of NIST SP 800-172. The bottom line is that companies following industry standards should be able to achieve CMMC compliance without adopting other proprietary controls. 

Q: Do I need to do anything right now? 

A: These changes take most of the urgency out of CMMC compliance since we have no idea when it will appear in DoD contracts. But CMMC’s requirements generally follow what the industry considers basic cybersecurity best practices. So you should be constantly honing your cybersecurity policies as a matter of smart risk management. Doing that will help you be ready for CMMC when it comes into play. And if you’re unwilling to take the supply chain security steps required to meet even CMMC Level 1, you’ll probably find that many large, private companies won’t feel safe doing business with you anyway. 

Q: Where can I get help figuring out what’s required for me? 

A: HBS compliance experts can help you understand the compliance requirements for your specific situation. 

You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at aptac-us.org.