Back To Resource Center

Published: February 22, 2023

Who Needs CMMC Certification?

By Annie articles

Learn which types of companies need CMMC 2.0 certification

The Department of Defense’s (DoD) latest verification approach is the Cybersecurity Maturity Model Certification (CMMC). This is the Department’s earliest attempt to establish detailed cybersecurity requirements for contractors.

The CMMC’s ultimate purpose is to deploy an acceptable degree of cybersecurity across the Defense Industrial Base’s (DIB) supply chain. The DIB supply chain includes over 300,000 businesses, all of which are required by the CMMC to safeguard Controlled Unclassified Information (CUI).

The US Department of Defense (DoD) regards information security as a fundamental requirement for the Defense Industrial Base (DIB) supply chain. CMMC accreditation improves the DIB’s security and resilience. Organizations that meet the stringent CMMC criteria will help to strengthen national security.

This article will teach you about Cybersecurity Maturity Model Certification CMMC 2.0, who needs it, how to determine if your business needs certification, and more.

Who Needs CMMC Certification?

CMMC certification is required for organizations with Department of Defense contracts who handle Controlled Unclassified Information (CUI). This comprises both prime contractors and subcontractors of any size.

This general rule has one exception. Companies that only manufacture Commercial-Off-The-Shelf (COTS) items are exempt from CMMC.

According to Federal Acquisition Regulation (FAR) 2.101,

“Commercially available off-the-shelf (COTS) item — (1) Means any item of supply (including construction material) that is: A commercial item (as defined in paragraph (1) of the definition in this section), sold in substantial quantities in the commercial marketplace and offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. Commercially off-the-shelf items do not include bulk cargo, as defined in 46 USC 40102(4), such as agricultural products and petroleum products”.

However, the CMMC framework is based on the type of information your company processes, so there are different requirements (and compliance burdens) for each of its three levels:

Level 1: Foundational

DoD contractors and subcontractors that manage Federal Contract Information (FCI) must be CMMC level 1 certified to reflect basic cyber hygiene within their organizations. FCI is data that is not intended for public circulation. The designation is usually included in document markings or mentioned in the contract. FCI does not have the required accounting and transaction data for invoicing and collecting payments.

According to the DoD, around 140,000 of the estimated 220,000 businesses in the DIB will fall into this first group and will just require self-assessments.

Level 2: Advanced

The DoD contractor must get at least CMMC Level 2 accreditation if the task entails sharing and processing CUI data. This level requires compliance with all 110 cybersecurity practices from Levels 1 and 2.

CUI is an FCI with additional instructions for certain safeguarding or handling constraints. As a result, CUI should be expressly identified and described in the DoD contract.

The DoD anticipates that approximately 80,000 DIB contractors will require a third-party assessment to achieve Level 2 compliance for the CMMC 2.0 program, which is more than double the number of companies previously estimated.

Level 3: Expert

Companies administering CUI for high-priority DoD programs are subject to CMMC 2.0 Level 3 and will require assessment from the government and C3PAOs. It should be noted that the CMMC establishes Level 3 standards, but the evaluation guide has yet to be released.

This level is similar to CMMC 1.0 level 5. While the Department of Defense is still determining the particular security criteria for CMMC 2.0 level 3, it is assumed that these standards will be based on the 110 controls in NIST SP 800-171, as well as a subset of NIST SP 800-172 controls.

Preparing for CMMC Certification

While defense contractors are already obliged to do a NIST 800-171 Basic Assessment, certification is the next step. It takes time and effort to become CMMC certified, but here’s a quick guide to help DoD contractors and subcontractors attain CMMC certification for their businesses.

To take a deeper dive on the CMMC 2.0 certification process, download our free resource here.

Identify your CMMC Maturity Level

The CMMC-level criteria differ depending on the criticality of the data being handled. Therefore, the first step toward CMMC certification is determining the type of information your firm processes and the level of CMMC certification required.

Scope your FCI & CUI

It is unnecessary to certify every aspect of your company, and aligning your entire organization with NIST SP 800-171 may be prohibitively expensive and technically infeasible. In addition, the DoD only considers the components of your organization that influence FCI & CUI to be “in-scope” for formal certification. As a result, it is prudent to monitor the flow of FCI and CUI.

Conduct a self-assessment

Your business can only collect data, establish compliance, and prepare for certification through self-assessments. If you’ve completed a NIST 800-171 Basic Assessment, you’ve already performed a gap analysis. You should keep refining and using this technique to identify gaps and prioritize correction.

One of the requirements planned for CMMC 2.0 is already being executed through other rules. Currently, per DFARS Case 2019-D041, all DoD suppliers must submit their NIST 800-171 assessment scores through the Supplier Performance Risk System (SPRS). 

Create a System Security Plan (SSP)

After you’ve scoped your company, begun aligning with the needed security standards, and begun gathering evidence, you must arrange everything in an SSP. The SSP is a collection of papers that give a picture of your environment and how security policies were applied. It should be a live, breathing document that evolves as your security posture improves.

Get Certified

If you’ve gotten this far, you’ve already done the most challenging work. The last activity is certification. To get CMMC Level 2 certification, you’ll need to cooperate with a CMMC-AB Marketplace Third Party Assessment Organization (C3PAO), or CMMC accreditation body.

To get CMMC Level 3 accreditation, you’ll need to go through a government-led assessment.

Need Help With CMMC 2.0 Certification? TalPoint Can Help!

CMMC compliance may become a competitive advantage in the future. According to Stacy Bostjanick, director of the CMMC policy:

“Some things that we’re looking at are the potential of if a company can show that their networks are secure, then they could garner a higher profit margin. Another area that we’re looking at is increasing the use of evaluation criteria for contracts where it doesn’t have to be a CMMC certification, but we will assess people’s network security as part of a source selection evaluation, so it would still be a factor in garnering award prior to CMMC becoming effective through rule making.”

To take advantage of these benefits, it is essential to ensure a smooth transition to the requirements of CMMC 2.0. Therefore, many companies use outside experts to help them prepare for and complete their CMMC assessment, and TalPoint is here to assist you.

TalPoint has CMMC experts that can support you with every stage of the CMMC preparation process, from planning through execution.

How Can TalPoint Help Me Prepare for CMMC Certification?

Here are examples  of CMMC compliance tasks that might be assigned to a TalPoint subject-matter expert.

Conduct a Gap Analysis: A gap analysis is critical for analyzing an existing cybersecurity program and identifying holes that must be corrected for your firm to be audit-ready. An Expert can help your company write a Plan of Action and Milestones (POAM) for your compliance with Level 1 CMMC.

Acquire and implement cybersecurity controls: if there is a shortfall, experts may assist businesses in implementing the regulations required to improve security and assure compliance.

Create content: the information you produce will be required evidence for a CMMC assessment. An expert can help you create and implement policies, procedures, and reports.

Handle the audit project: They can manage the entire certification process, including the current DFARS Interim Rule for NIST 800-171 assessment scores through the Supplier Performance Risk System (SPRS). This process and be a cumbersome task without the know-how requiered, and a expert can help you significantly reduce the time spent in this process.

Conduct vendor evaluations: vendor management is an integral part of any CMMC compliance program. If a corporation does not already perform this, it may be beneficial to outsource the work to a professional.

Conduct an “External Self-Assessment”: Internal self-assessments are crucial to level 1 CMMC compliance. A compliance expert working as a consultant ensures your business has completed all the elements of the CMMC framework.

This can assist level 2 organizations in preparing their controls and paperwork for the C3PAO assessor, assuring a successful certification procedure.

If you’re ready to get the ideal cybersecurity expert to meet CMMC 2.0 and beyond, let’s chat.

Our large and diverse network of experts is here to help...

Charles M.


Charlies is a 14 year cyber security expert. He started his career in the U.S. armed forces and then transitioned into commercial roles. A security engineer by training, he's well-versed in tool deployment and administration.

Ellen K.

GRC Expert

Ellen bring a decade of GRC expertise to the TalPoint community. She's knowledgeable on a variety of frameworks and employs a methodical approach to compliance. She's available for needs assessments, gap assessments, internal audits, and for certain frameworks running independent 3rd party audits.

Zachary C.

Founder and CRO

Zachary bring a 20+ year career in risk management to the TalPoint community. He's worked across healthcare, finance, and supply chain manufacturing. His broad experience offers both a holistic view of risk as well as a common sense approach to risk management.