The US Department of Defense (DoD) has experienced over 12,000 cyber incidents since 2015 2. As a result, to better safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the defense industrial base's (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. Despite increasing threats, studies show that defense contractors have yet to improve their cybersecurity posture.
CMMC was born out of DFARS requirements, and NIST 800-171 standards. DFARS requires that DoD contractors submit a cybersecurity compliance score based on these standards. Only 36% of respondents submitted SPRS scores, significantly lower than the 46% that submitted last year in the inaugural report. DFARS was signed into law in 2017 and is in over 1 million contracts today, but adherence to compliance requirements remains low, and compliance scores remain very low. Only 36% of respondents even submitted SPRS scores. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors must be CMMC certified by October 2025 to remain eligible for DoD Contracts. The CMMC framework features three levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1.
Bulletproof is a certified CMMC Practitioner Organization and has been at the forefront of helping organizations comply with many stringent standards for many years. Bulletproof's solutions are purpose-built to help you accomplish CMMC certifications. Beyond CMMC, we work to support multiple industries' compliance requirements, via Consulting, Audits, and Managed Services, including CMMC/HIPAA/NIST/ISO/MARS-E and others.
We created this as a web page for better mobile optimization, accessibility, & maintenance. Remember, you can bookmark this page for future reading, save it to the reading list on your mobile device, or print a hard copy. If you'd still like a PDF version of this webpage, you can download it here:
In 2020 the DoD released The Cyber Security Maturity Model Certification (CMMC). The intent is to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The CMMC framework consists of 3 levels, each with specific controls and objectives. Level 3, the most advanced level, will only be a requirement for several hundred contractors. However, those required to meet compliance with Level 2, will impact tens of thousands of contractors. Level 2 is focused on organizations interacting with Controlled Unclassified Information (CUI). These organizations will have to prove that they have met the security controls, and the hundreds of Cyber Security Assessment Objectives as part of the requirement. Most DoD contractors will need to pass a 3rd party Assessment (Audit) validating Level 2 compliance, which will be reported to the DOD, and be required for DoD contract eligibility.
This effort is defined in DFARS 252.204-7019-7021, and its requirements will impact 300,000+ DoD contractors. Almost all DoD contractors that have, or handle CUI, must become CMMC Level 2 certified. Unlike DFARS, which requires a self-assessment score submitted annually, CMMC does not offer the option to self-certify, for Level 2 or 3. Level two requires a passing score as attested by a C3PAO, third party assessor. Level 3 requires a passing score as attested by DIBCAC every 3 years. While Level 1 only requires a self-assessment, the DoD is conducting spot checks and issuing significant fines for fraud if a self-assessment proves to be false.
Failure to meet any CMMC qualifications will put the contractor at risk for significant fines, attached to false claims, and ultimately will eliminate the business from receiving PO’s, Contract Awards, and overall eligibility to work with the DoD.
The DoD established CMMC to secure the DIB’s Cybersecurity infrastructure. CMMC is based on the National Institute of Standards and Technology (NIST) based on SP 800-171 and consisting of several security Controls. Level 2 has 110 controls made up of 14 control families.
CMMC applies to all DoD contracting entities, both Prime Contractors and Subcontractors. Contractors that will bid on DoD contracts in the future that include Federal Contract Information, (FCI) or Controlled Unclassified Information (CUI) will be required to comply with the standards of either CMMC Level 1, or 2.
CMMC Level 2 security control requirements are organized using 14 control families from NIST 800-171. The 14 control families can be found below.
Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Personnel Security (PS), Risk Assessment (RA), Systems and Communication Protection (SC), Systems and Information Integrity (SI)
As mentioned previously, CMMC is defined in DFARS 252.204-7019-7021, and will require that all DoD contractors that handle CUI become CMMC Level 2 compliant and most (96%) must pass a 3rd party assessment (audit).
CMMC is based on the NIST 800-171 rev 2.0 standard, soon to be rev 3.0. Within the Level 2 CMMC framework, there are 14 control families, which consist of 110 specific controls, and 320 Assessment Objectives. All objectives within a control must be met to comply with that specific control requirement.
The 14 control families include: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Personnel Security (PS), Risk Assessment (RA), Systems and Communication Protection (SC), Systems and Information Integrity (SI)
In general, the contractor must meet these controls, and must Document, Perform, and Manage the practices within these controls. Required documentation will include Procedures and Control Documents, POA&M’s, and a System Security Plan (SSP).
To access the NIST 800-171 Standard, and the DoD CMMC documentation Library documents, please click on relevant buttons below.
Bulletproof's Mission is Helping You Achieve the Ideal Business Outcome
When aiming to successfully undergo a Level 2 Cybersecurity Maturity Model Certification (CMMC) assessment, defense contractors may find themselves wanting to delay the pain, and in some cases ignore the inevitable. Looking at the need to address 320 assessment objectives spread across 110 controls and 14 control families, achievement can feel overwhelmingly complex, if not unattainable.
Bulletproof's innovative services and solutions take the pain away. Our experts, and world-class methodologies, guide DoD contractors through a seamless and phased implementation of CMMC quickly and confidently.
Our portfolio of solutions is purpose-built for SMB DoD contractors. To help you build your compliance program, we offer CMMC and Cyber consulting services as well as Managed Services to protect your infrastructure and to support your journey to meeting and maintaining CMMC compliance standards.
Technology is inextricable to the way modern organizations operate - which spells both challenges and opportunities in such a highly regulated industry.
We work with top organizations in the United States and across the world. We leverage our extensive industry experience and IT know-how to help organizations reduce risk and improve their processes, systems, and business infrastructure.
Complete the form to book your free no-obligation call to discover how Bulletproof can help your organization.