Government Contractors: CMMC Requirements & Assessments

CMMC is now mandatory for most Department of Defense (DOD) contractors. Non-compliance means losing contracts. Here's what you need to know about CMMC levels and penetration testing requirements.

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. It's a mandatory compliance framework for DOD contractors and subcontractors handling classified information or Controlled Unclassified Information (CUI).

Key facts:

• Established by DOD in 2020, became mandatory in 2022
• No CMMC certification = No DOD contracts
• Currently being phased in (companies have transition periods based on contract awards)
• Level requirements vary by contract and data sensitivity

CMMC Levels and Requirements

CMMC has 3 levels. Your required level depends on the data you handle:

Level 1: Foundational (NIST SP 800-171 Basic)

Requirement: Self-assessment, no third-party certification needed

What it means: You complete the CMMC Level 1 model (17 practices from NIST SP 800-171) and self-attest you're compliant. No auditor verification required.

Who needs it: Basic contracts that don't require CUI protection, or organizations starting their CMMC journey

Cost: Low (self-assessment only)

Penetration Testing: Not explicitly required, but recommended to validate controls

Level 2: Advanced (NIST SP 800-171 with processes)

Requirement: C3PAO (Certified CMMC Professional Organization) assessment every 3 years

What it means: You implement 110 practices across 5 domains. A C3PAO auditor evaluates your implementation and validates compliance every 3 years.

Who needs it: Most DOD contractors handling CUI. Most new contracts require Level 2 minimum.

Cost: $15,000-$50,000 for initial assessment depending on organization size

Penetration Testing: Required as part of C3PAO assessment. Assessors conduct limited penetration testing to validate security controls.

Level 3: Expert (NIST SP 800-171B with advanced processes)

Requirement: C3PAO assessment annually

What it means: You implement 171 practices plus advanced controls for threat intelligence, incident response, and advanced monitoring. Annual third-party assessment required.

Who needs it: Only organizations handling classified information or in critical roles (defense contractors with classified access)

Cost: $30,000-$100,000+ annually for assessment

Penetration Testing: Comprehensive penetration testing required annually, including advanced attack scenarios and red team exercises

CMMC Domains and Control Categories

CMMC controls are organized into 5 domains:

1. Access Control

Who can access what, and when

• User access provisioning and de-provisioning
• Multi-factor authentication
• Privilege management
• Information flow control
• Separation of duties

2. Asset Management

Inventory and protection of hardware and software assets

• Hardware inventory
• Software inventory
• Asset tagging and tracking
• Removable media control
• System hardening

3. Data Protection

Protecting information, especially CUI

• Data classification
• Data encryption in transit and at rest
• Secure disposal of data
• Removable media security

4. Defense and Recovery

Detecting and responding to incidents, maintaining backups and recovery capability

• Malware protection
• Intrusion detection and prevention
• Incident response procedures
• Backups and recovery
• System monitoring and logging

5. Identification and Authentication

Verifying who users are and what systems they access

• User authentication
• Device identification
• Service authentication
• Cryptographic controls

CMMC Assessment Process

The assessment process differs by level:

Level 1: Self-Assessment (No C3PAO Required)

Timeline: 2-4 weeks

• Your organization completes the CMMC Level 1 self-assessment tool
• You answer questions about your implementation of 17 practices
• You submit the completed assessment to DOD when bidding on contracts
• No third-party validation

Limitation: Self-assessment has no credibility. DOD is moving away from Level 1 contracts.

Level 2: C3PAO Initial Assessment (3-Year Cycle)

Timeline: 2-3 months from start to certification

Phase 1: Preparation (Weeks 1-2)

• Hire C3PAO (Certified CMMC Professional Organization)
• Review your current state vs. 110 CMMC Level 2 practices
• Develop implementation plan for gaps
• Implement missing controls

Phase 2: On-Site Assessment (Weeks 3-6)

• C3PAO team visits and conducts assessment
• Reviews policies and procedures
• Interviews staff
• Tests systems (limited penetration testing)
• Reviews logs and monitoring

Phase 3: Report and Remediation (Weeks 7-10)

• Assessor identifies gaps
• You remediate findings
• Assessor validates remediation
• Certification issued

Level 3: C3PAO Annual Assessment

Similar to Level 2 but more intensive, occurring annually instead of every 3 years. More thorough penetration testing and advanced control validation required.

Penetration Testing in CMMC Assessments

Penetration testing is a key part of C3PAO assessments:

Level 2 Testing

Limited scope, targeting critical systems:

• Scope: External network, critical systems, authentication mechanisms
• Methods: Manual testing of vulnerabilities, configuration review, access control testing
• Depth: Medium (not as thorough as a standalone penetration test)
• Time: Usually 2-3 days on-site

Level 3 Testing

Comprehensive testing more similar to professional penetration tests:

• Scope: External, internal, web applications, physical security
• Methods: Full penetration testing including advanced attack scenarios
• Depth: Deep (similar to commercial penetration testing)
• Time: Usually 1-2 weeks on-site

Common CMMC Gaps and How to Address Them

Multi-Factor Authentication (MFA)

Requirement: MFA on all remote access and privileged accounts

Common gap: MFA is optional or not used consistently

Fix: Mandate MFA for all remote access (VPN, RDP), email, and administrative accounts. Use hardware tokens (FIDO2) for highest security.

Patch Management

Requirement: Formal process with documented timeline for patching

Common gap: Ad-hoc patching, no process documentation

Fix: Establish formal patch management: inventory systems, track vulnerabilities, test patches, deploy on schedule (30-60-90 days by severity).

System Monitoring and Logging

Requirement: Comprehensive logging of all user activity, system changes, and security events

Common gap: Limited logging, no centralized log management, logs not retained

Fix: Implement centralized logging (SIEM), monitor for security events, set up alerting, retain logs for at least 1 year.

Encryption

Requirement: Encryption of CUI in transit (HTTPS/TLS) and at rest

Common gap: Encryption not applied to all CUI, weak encryption algorithms

Fix: Identify all systems handling CUI, encrypt data in transit with TLS 1.2+, encrypt data at rest using AES-256 or better.

Access Control

Requirement: Principle of least privilege—users have only the access they need

Common gap: Users have excessive privileges, shared accounts, no regular access reviews

Fix: Implement principle of least privilege, eliminate shared accounts, conduct quarterly access reviews.

Incident Response

Requirement: Documented incident response procedure and capability

Common gap: No written incident response plan, no incident response team designated

Fix: Develop written incident response plan, designate response team, test with tabletop exercises at least annually.

Vulnerability Management

Requirement: Regular vulnerability scanning and remediation

Common gap: Infrequent scanning, no vulnerability tracking or remediation timeline

Fix: Implement quarterly vulnerability scanning, track vulnerabilities, prioritize by severity, remediate on documented timelines.

Cost of CMMC Compliance

CMMC has real costs:

Level 1

• Initial: $2,000-$10,000 (self-assessment preparation)
• Ongoing: Minimal (maintain controls internally)

Level 2

• Initial Implementation: $20,000-$100,000+ (tools, consulting, staff time to implement controls)
• Assessment: $15,000-$50,000 (C3PAO assessment cost)
• Every 3 years: Reassessment cost ($15,000-$50,000)
• Annual maintenance: $5,000-$20,000+ (tools, staff, monitoring)

Level 3

• Initial Implementation: $50,000-$250,000+ (comprehensive controls, advanced tools)
• Annual Assessment: $30,000-$100,000+ (C3PAO assessment)
• Annual maintenance: $20,000-$50,000+ (comprehensive monitoring, advanced tools)

But: Without CMMC certification, you can't bid on DOD contracts. The cost of compliance is far less than the lost revenue from ineligibility.

Timeline for CMMC Compliance

DOD has extended CMMC deadlines multiple times. Current timeline:

• 2024-2025: Contracts being awarded with CMMC requirements
• 2025-2026: Most new contracts require CMMC Level 2
• 2026+: CMMC becomes standard across all DOD contracts

If you're a government contractor without CMMC certification, you should start now. The assessment process takes 2-3 months minimum. Don't wait until your contract renewal requires it.

Roadmap: How to Get CMMC Certified

Step 1: Assess Your Current State (Weeks 1-2)

Conduct a gap analysis against CMMC Level 2 (or 3 if you handle classified info):

• Which of the 110 practices do you already have in place?
• Which practices need to be implemented or improved?
• What tools and resources are needed?

Step 2: Develop Implementation Plan (Weeks 3-4)

Create a roadmap to close gaps:

• Prioritize critical controls (access control, encryption, monitoring)
• Identify quick wins (MFA, patch management process)
• Plan for longer implementations (system redesign, tool deployment)

Step 3: Implement Controls (Weeks 5-12+)

Execute your plan. Typical timeline is 2-4 months depending on gaps.

Step 4: Select C3PAO and Schedule Assessment (Weeks 8-10)

Don't wait until implementation is 100% complete. Work with your C3PAO to schedule assessment once you're close. They can provide guidance on final gaps.

Step 5: Conduct C3PAO Assessment (Weeks 11-14)

The assessment typically takes 2-3 weeks on-site, plus reporting time.

Step 6: Remediate Findings (Weeks 15-16+)

Address any findings the assessor identifies. This usually takes 2-4 weeks.

Step 7: Receive Certification

Once all findings are remediated, you're certified for 3 years (Level 2) or 1 year (Level 3).

Working With External Penetration Testers

You don't need to hire a C3PAO to prepare for CMMC. Before your C3PAO assessment, consider hiring an external penetration tester to validate your controls:

• More thorough than C3PAO testing (C3PAO focus is on compliance, not depth)
• Identify vulnerabilities before C3PAO assessment
• Demonstrate to C3PAO that you've validated controls
• Cost-effective preparation for your assessment

External penetration testing is a smart investment before your CMMC assessment.