A guide to CMMC: Who it applies to, how it will impact you, what parts of your org it applies to
Cybersecurity Maturity Model Certification (CMMC) is a major component of the Department of Defense’s (DoD) push towards securing critical information and data. But, complying with the mandate for CMMC can be an intimidating prospect for many organizations.
Complicating matters, the DoD expects that CMMC will be a requirement of all contracts starting as early as 2026. This has many leading organizations wondering about the particulars of implementing CMMC and how it affects their customers and organizations.
Because CMMC is a big lift, undergoing the process has to make sense for your business, but it can also bring your business and your customers big benefits.
What is CMMC?
As the amount of data we store on computers and online grows, so too does the number of opportunities for malicious actors to access it without permission. Each year, the chances of a malicious cyberattack increases by 11%. Cybercrime is an expensive problem, too, costing organizations an average of $13M.
Through CMMC, the DoD aims to arm contractors with the tools to protect themselves from cyberthreats. By extension, the government improves protection of their controlled unclassified information (CUI).
CUI is a category of information that the government needs to keep from unintended release. It refers to important data that, if released, could provide adversaries with critical information about our nation’s warfighting systems. Protecting CUI helps to keep our nation and our warfighters safe.
Most organizations that do business with the DoD access or use CUI at some point in the course of their work.
The goals of CMMC are to:
- Establish a framework of standards and practices mapped to processes that provide increasing levels of cyber protection, from basic cyber hygiene to more advanced protection techniques.
- Provide businesses, especially small businesses, with guidance and direction that’s in line with the level of risk for their data.
- Build upon existing standards and regulations like National Institute of Standards and Technology (NIST) 800.171 and Defense Federal Acquisition Regulations (DFARs) 252.204-7012 while adding a verification process.
CMMC has five levels:
- Level one, Performed: basic cyber hygiene
- Level two, Documented: intermediate cyber hygiene
- Level three, Managed: good cyber hygiene
- Level four, Reviewed: Proactive
- Level five, Optimizing: Advanced, progressive
Which level an organization achieves depends on their businesses’ and contracts’ needs. For the most basic contracts and micro purchases, level one will likely be sufficient. Most contractors are expected to meet level three with Level two intended to be a stepping stone between levels one and three.
Who does CMMC apply to?
Anyone who has access to CUI is responsible for protecting it. That means that CMMC applies to anyone who accesses CUI, including suppliers and subcontractors. The framework is designed to protect the entire defense industrial base (DIB) and supply chain, so it applies to:
- Materials manufacturers,
- Prime contractors,
- Subassembly manufacturers,
- Defense research organizations,
- Construction companies
- Logistic providers
- And all others in the DIB that access or store CUI.
Currently, those who produce exclusively commercial-off-the-shelf (COTS) products only need to achieve level one CMMC.
What if my organization has both DoD and non-DoD customers?
Many organizations who serve the DoD also have commercial customers. In such instances, these organizations can choose to house DoD data separately from non-DoD data.
Only DoD CUI data needs to be protected by CMMC processes.
Will CMMC affect my customers?
For your organization’s customers in the defense supply chain, they may see some changes in your businesses processes. But ultimately, their data and any associated CUI will be better protected. In this way, both your organization and your customers benefit from improved resistance and resilience to cyberattack through CMMC.
This provides for less disruption and more reliability.
How will CMMC affect my organization?
For those without already-established cybersecurity protocols, CMMC will likely add a layer of processes and complexity. As a rigorous standard, CMMC does require a systematic approach to protecting CUI data.
If you’ve been researching CMMC, then you have likely encountered facets of certification like the Federal Risk and Authorization Management Program (FedRAMP) and Government Cloud Computing (GCC) High environments. Navigating into these environments likely means leaving behind your current cloud-computing provider and moving your CUI data to a GCC-High cloud environment, a process that can be tricky to navigate.
Partnering with a Registered Provider Organization (RPO) like can help ease the transition process both for your organization’s system administrators and individual contributors. RPOs are experienced with FedRAMP and GCC high and can advise on which licenses to purchase, help facilitate the transaction, and assist with designing and architecting enclaves.
What parts of my organization will CMMC apply to?
Because CUI data can come in many forms, including blueprints, technical data, contract data, and more, it can be found in many places in your organization. By extension, CMMC is likely to affect many roles within your organization. The most obvious roles CMMC touches are those in your IT department, who may be in charge of administering the systems on which CUI resides.
Perhaps less obviously, your sales and business development team will need to understand CMMC well enough to address customers’ CMMC questions when they come up and how to delineate which contracts require CMMC and which do not.
Other areas of your organization, including contracts, engineering/development, production, and finance, will need to understand the components of CMMC that relate to their tasks and day-to-day performance.
Finally, because achieving CMMC compliance requires wide-reaching support from across an organization, it is very important to have an executive-level stakeholder – a champion for the effort who can help lead it to completion.
Where can I learn more about CMMC?
Click here to read more about Wipfli’s CMMC services.
Or check out these additional resources:
