CMMC 2.0 Basics: The 101 of Getting Compliant 

February 1, 2023

Cybersecurity Maturity Model Certification is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is collective standard and new certification model to ensure DoD contractors protect sensitive unclassified information.

In layman’s terms the government is setting ground rules when it comes to the cybersecurity of organizations they work with.

Why do companies need to take meeting CMMC guidelines seriously? To start, its government mandated and it’s not going away. If anything, CMMC may apply to all non-DoD government contractors in the future. CMMC is not just is not just a bunch of paperwork, such as policies and procedures, the purpose of meeting these standards is to make sure your organizations security tools are working. Finally, CMMC is not something to ignore; it will affect your future in winning bids.

The Basics: 

The Department of Defense (DoD) released the CMMC framework to reduce the risk posed by cyber criminals. This framework is set to assess and improve the cybersecurity posture of an astounding 300,000 companies that contribute to DoD systems, networks, installations, capabilities and services.

It is also intended to increase the security of DoD’s supply chain by promoting compliance from all companies that are part of it.

Yet, a recent survey revealed 87% of DoD contractors don’t meet the basic cybersecurity requirements. (

According to the Department of Defense, The CMMC 2.0 program has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

National Industry of Standards and Technology NIST

It provides a comprehensive mapping system that connects specific controls and processes associated with various cybersecurity standards to three distinct maturity models, ranging from basic (Level 1) cyber hygiene to advanced (Level 3).

Some examples of these controls are:

  • Do you limit access to authorized users only?
  • Do you perform Security Awareness Training for all your users?
  • Do you retain and monitor system logs?
  • Do you have and exercise an Incident Response plan?
  • Do you perform recurring Security Assessments
  • Do you limit physical access and monitor the facilities?
  • And more…

Drafting policies and procedures, creating system documentation, and implementing technical solutions to close the gaps is a time-consuming and costly process. Cybersecurity consulting firms can help you understand exactly what to implement without going overboard and tailor the implementation to your requirements, needs, and budget.

All DoD contractors and Subcontractors are required to achieve within their level of CMMC 2.0 by end of May with CMMC guidelines and requirements on DoD bids this July.

Find out how OnDefend can assist your company to meet CMMC compliance. Get started today


Connect with Us to Stay in Touch