Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

The CMMC: Answers About What to Expect and What it Means to You

As we kick off the New Year, Defense Industrial Base (DIB) and its 300,000+ members are legally required to bolster their defenses and align IT security with the Cybersecurity Maturity Model Certification (CMMC) in 2020.

Given the current cyber climate, security leaders must bolster data security defenses and make tactful adjustments to their security strategy. Depending on the sector they operate in, many don’t have a choice but to comply given the regulations in place. That happens to be the case with organizations in the  DIB and the thousands of entities that make it up. Once the first draft of the Cybersecurity Maturity Model Certification (CMMC) was issued by the U.S. Department of Defense (DoD), suppliers, contractors, and subcontractors who serve DoD, were put on alert comply or risk current and future business pursuits.

The CMMC framework is an example that the fight against data exfiltration by threat actors and nation-states, is real and the DIB needs to act quickly to comply.

As the looming deadline approaches, we’ve decided to answer ten general (but important) questions you likely have when it comes to the new regulation.

1. What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a government requirement that will categorize multiple levels of cybersecurity to assess the maturity of a company’s implementation of cybersecurity controls, practices, and processes. The CMMC will encompass five maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced.”

2. Who needs CMMC?

All contractors or suppliers (prime and sub-contractors) doing business with the DoD will be required to comply with CMMC. Examples include system integrators, equipment manufacturers, service providers, and suppliers -  all of which need achieve a CMMC rating if they wish to continue to do business with DoD. The requirement for CMMC is the DoD’s first step in enhancing the security, visibility, and situational awareness of the DIB and the 300,000 organizations that make up the DoD Supply Chain.

3. Why was CMMC created?

Originally, DoD required compliance with NIST 800-171 which DIB members could self-certify.  DoD discovered that actual compliance is lacking; therefore, now a third-party assessment is required to document cybersecurity controls, practices and processes, and determine cybersecurity maturity level. The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases the risk to national economic security and, in turn, national security.

4. Who is creating CMMC?

To secure the DoD Supply Chain, the DoD is creating the CMMC compliance program in collaboration with Johns Hopkins Applied Physics Lab, Carnegie Mellon Software Engineering Institute, and industry. CMMC firmly establishes security as the foundation for acquisition and combines the various cybersecurity standards into a unified standard that will serve as a requirement to do business with the DoD.

5. What is CMMC based upon?

The CMMC intends to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

All contractors, sub-contractors, and suppliers will need to prove adequate cybersecurity controls by fall 2020.

6. When does CMMC go into effect?

CMMC will go into full effect by fall 2020.

Third-party assessment Organizations (3PAOs) will be trained as early as April/May 2020 timeframe. The CMMC will appear in Requests for Information (RFI’s) by June 2020 and Requests for Proposal (RFP’s) as early as August/September 2020. That means that all contractors, sub-contractors, and suppliers will need to prove adequate cybersecurity controls, practices and processes via a 3PAO assessment, and certification before bidding on new or renewed work by fall 2020.

7. How do I get started with CMMC?

If you are a government contractor, sub-contractor or supplier, it is best to begin with a pre-assessment to review your current security maturity level and identify any gaps in your security posture based on the level that you are trying to achieve.

  • Level 1: 17 practices to achieve “Basic Cyber Hygiene”
  • Level 2: 55 additional practices to achieve “Intermediate Cyber Hygiene”
  • Level 3: 59 additional practices to achieve “Good Cyber Hygiene”
  • Level 4: 26 additional practices to achieve “Proactive”
  • Level 5: 16 additional practices to achieve “Advanced Progressive”

From there, you may need to work with different cybersecurity solution providers to implement controls, practices and processes that meet any of the 17 domains that align with the maturity level your company is seeking.

Once you have what you believe to be complete controls in place, you will meet with a 3PAO for your third-party assessment. The assessment will provide a certification verifying the level of security maturity which will, in turn, determine the contracts you can bid on thus protecting your current and future business pursuits with DoD.

8. Where can I get a CMMC assessment or certification?

Assessments and certifications will be provided by a number of C3PAOs.

9. What if you are certified at a level too low?

If you receive an assessment from a 3PAO that is at a level too low for you to renew existing contracts or bid on new contracts, you can work with different cybersecurity solution providers to implement controls, practices, and processes to strengthen your cybersecurity posture and get reassessed.

See which domains Trustwave can help with here.

10. What else do I need to know about CMMC?

CMMC is slated to go into full effect by fall 2020 but will also have ongoing certification requirements. While the regulation is not yet final, we expect to see annual (Level 4 and 5), bi-annual (level 3) and ongoing (every 3 years for Level 1 and 2) certification requirements for all practice levels.

Additional FAQs can be found on the DoD website.

For more updates and changes tied to the regulation, stay tuned to for more insights from Trustwave experts and be sure to read about these five important items you need to prepare for.


Sharon Payne is the director of Partner Channel Development at Trustwave specializing in compliance with the CMMC.