Navigating Department of Defense CMMC Compliance: A Guide For Subcontractors

The recent implementation of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program in late 2024 raises important questions about its applicability and the challenges it poses for smaller contractors within the defense industrial base (DIB) supply chain who may not yet be ready to comply. Aimed at protecting federal contract information (FCI) and controlled unclassified information (CUI) within the DoD contracting community, CMMC applies to both prime contractors and their suppliers and subcontractors that handle FCI and CUI, potentially creating a significant ripple effect.

As a critical component of national security, the DIB is particularly targeted and the subject of data breaches, ransomware, and other cyber threats. Ensuring business continuity for all DoD suppliers and service providers in the event of a cyber-attack is crucial. While CMMC requirements will come as no surprise to prime government contractors who have ostensibly already allocated resources to assure readiness, their subcontractors are likely less prepared. Many suppliers and subcontractors may not consider themselves DoD contractors and could be unaware of their upcoming compliance obligations. Education, resource allocation, and preparation are essential to ensure that all necessary members of the DIB have the robust security measures required to meet CMMC standards.

Let’s break down what this means for subcontractors.

CMMC applies to all contractors within the DIB that handle FCI or CUI, but applicability is nuanced.

CMMC aims to ensure organizations can protect sensitive government data crucial to the DoD’s work with contractors and subcontractors. Certification provides the DoD with greater confidence that organizations meet cybersecurity requirements for nonfederal systems handling federal contract information (FCI) and controlled unclassified information (CUI).

Primary DoD contractors must comply with CMMC if they handle CUI or FCI, but the extent of supply chain accountability varies by organization and shared information. CMMC Level 1 includes a basic set of controls designed to protect FCI. CMMC Level 2 and 3 are much more demanding and designed to protect CUI. CMMC level 2compliance follows CUI; if taking possession of CUI is essential for all parties to complete their tasks under the contract, everyone must implement the CMMC requirements. However, if a subcontractor can complete their work without CUI, certification is unnecessary.

The CMMC program has three levels reflecting cybersecurity maturity. Level 1 covers basic requirements for protecting FCI, while Level 3 addresses the most advanced needs. The required certification level depends on the DoD-related information received. Subcontractors who handle CUI need at least Level 2 certification, but identifying CUI can be complex. It is likely the prime contractor and DoD will error on the side of caution and indicate more items are CUI than not.

Subcontractors can determine their CMMC requirements by checking if their clients and partners have DFARS 252.204-7012, 7019, 7020, or 7021 clauses in their DoD contracts or if proposals or agreements mention CMMC compliance. The DoD and prime contractors will have historically included these clauses when CUI is shared. The DoD is also going to add specific contract clauses associated with CMMC in the future. For planning purposes if there are legacy clauses, it is likely in the future there will be CMMC clauses at level 2 or higher.

All primary contractors must flow down these clauses in subcontracts involving CUI or covered defense information. These requirements then extend to each level handling CUI, potentially reaching multiple levels down the supply chain.

The final CMMC program rule took effect on December 16, 2024, allowing organizations to receive certification through certified third-party assessor organizations (C3PAOs). Currently, CMMC is not mandatory for all new DoD contracts, but this will change later this year when the second CMMC rule establishing the contractual clause is finalized.

For subcontractors looking to achieve certification, here are some steps to consider.

Examine the business case for CMMC. 

Subcontractors should begin by evaluating the business rationale for obtaining certification. If a significant portion of their clientele is engaged in DoD-related work where handling CUI is required, certification is essential. Conversely, if DoD-related work constitutes a minor segment of their customer base and certification could adversely affect the rest of the organization because it is too distracting or expensive, it might be wise to delay and ultimately exit the business.

However, if an organization anticipates being subject to CMMC requirements at any level or wants to grow their DoD business taking work from others who might exit or delay in being compliant, it is advisable to pursue certification promptly. Initially, CMMC certification will offer a substantial competitive edge, but this advantage will diminish as more organizations become certified. Therefore, for organizations aiming to broaden their market presence, achieving CMMC certification could be a strategic business move.

Determine the scope.

The CMMC certification process can be particularly challenging for smaller companies. To balance the potential financial and operational impacts of compliance, a good starting point is determining what’s in and out of scope.

Organizations aiming for a level 2 or higher certification must consider five asset classes:

• CUI assets: These process, store, or transmit CUI.
• Contractor risk managed assets: These assets can – but are not intended to – process, store, or transmit CUI.
• Security protection assets: These provide security functions or capabilities within the CMMC Assessment Scope, regardless of whether they process, store, or transmit CUI (e.g., firewalls, multifactor authentication tools).
• Out-of-scope assets: These do not process, store, or transmit CUI or security protections for CUI assets and are physically and/or logically separated from CUI-handling assets (e.g., cloud-based HR systems, non-DoD project branches or locations).
• Specialized assets: These can process, store, or transmit CUI but support a special function. These assets are excluded from the assessment scope. Typically, these are excluded because they cannot be fully secured. Examples or specialized assets include test equipment, CNC or other manufacturing or assembly automation tools. Since these assets may be exempt from some CMMC requirements, understanding and properly categorization can be advantageous Subcontractors should leverage a strong understanding of the asset categories and especially the specialized assets class to help minimize the scope burden and allow for effective allocation of resources. By limiting the size and complexity of the in-scope assets, the certification process becomes faster, easier, and less expensive.

Subcontractors should also explore restructuring their organizations or operations to continue DoD- and CUI-related work without it impacting the entire organization. For instance, consolidating all CUI work into one branch or location can limit the assessment scope to only that branch, expediting the certification process.

Consider how the CMMC assessment covers third party ESPs and CSPs. 

One additional important scoping consideration is understanding how the CMMC assessment differentiates between third party external service providers (ESPs) and cloud service providers (CSPs). This is crucial to both Organizations Seeking Assessment (OSAs) using external ESPs and/or CSPs, and the ESPs and CSPs themselves.

• ESPs: If an OSA uses an ESP (other than a CSP), the ESP must have implemented the CMMC Level 2 or higher requirements. Their security measures should be documented in the OSA’s System Security Plan (SSP) and the ESP likely will have to participate in the OSA’s assessment process.
• CSPs: The final CMMC rule stipulates that an Organization Seeking Certification (OSC) can use a FedRAMP moderate (or higher) cloud environment to handle Controlled Unclassified Information (CUI) if the CSP is FedRAMP authorized or meets equivalent security requirements.

The Department of Defense (DOD) requires CSPs that are claiming equivalency to achieve 100% compliance with FedRAMP Moderate security controls, verified by a recognized Third-Party Assessment Organization (3PAO), and provide specific documentation as part of the Body of Evidence (BoE). This ensures stringent security standards are met.

Allocate resources to prepare for the assessment.

The CMMC certification process is straightforward, but preparation can be complex. Administered by the not-for-profit Cyber Accreditation Body (Cyber-AB), which consists of experienced industry professionals, the process involves OSCs requesting proposals or quotes from C3PAOs authorized by Cyber-AB to conduct CMMC assessments.

The DoD provides resources to help organizations evaluate their readiness and prepare for assessment, which includes the Assessment Guide, containing the assessment questions, and the CMMC Scoping Guide that details the asset categories and assessment methods.

Before engaging a C3PAO, subcontractors should take several preparatory steps:

• Properly identify and organize their scope according to the five asset categories.
• Ensure their System Security Plan (SSP) is robust enough to demonstrate understanding of the requirements and how they are being met.
• Document and approve all CUI data flows to show organizational maturity and control over CUI storage and movement.
• Conduct internal and mock assessments to prepare the team for questions from the assessment team and ensure documentation is available to support the implementation of all 110 CMMC controls for in-scope systems.

Organizations often encounter common pitfalls, such as uncertainty about which CMMC level to target, incomplete asset inventories, and difficulties in identifying and tracking FCI and CUI. Smaller subcontractors, in particular, may struggle due to limited resources. When pursuing CMMC certification, it is crucial to have a dedicated cross-functional team focused on gathering all necessary documentation and information. Involving the right people, including executives and not just IT personnel, is essential to avoid a more costly and prolonged certification process.

Engaging a third-party consultant with extensive knowledge of the CMMC process can be beneficial. These consultants can view the subcontractor from an assessor’s perspective, helping to identify and address potential issues before the actual certification process begins.

Determining CMMC assessment readiness can be complex, but starting with these six questions can help:

1. Have I completed my system security plan (SSP), CUI data flows, and associated policies and procedures?
2. Have I conducted a self-assessment and confirmed that our organization complies with all CMMC practices and their assessment objectives?
3. Have I gathered evidence for each assessment object?
4. Have I evaluated my external service providers and cloud service providers?
5. Have I trained my control owners on what to expect and how to properly implement CMMC practices?
6. Have I identified my CMMC assessor, and do I believe they will be fair, reasonable, and available within the required timeframe?

Engage with a C3PAO and undergo the CMMC assessment.

Once contracted for an assessment, the C3PAO will either utilize a certified assessor on staff or hire an independent assessor to carry out the work. The C3PAO will oversee the entire process, including quality assurance, ensuring the assessment’s credibility and proper execution, and submitting the results to the DoD.

The CMMC certification process typically takes four to eight weeks, depending on the size and scope, and begins with a phase to understand the scope and ensure the OSC is prepared. The OSC will then need to gather and provide artifacts to demonstrate that the required practices are in place. The primary effort occurs during the fieldwork phase, usually a busy week of concentrated activity, where artifacts and live demonstrations provide the assessment team with the evidence needed to determine if practices are implemented. Finally, the process concludes with wrap-up and reporting.

If there is missing information or something amiss during the certification process, organizations may receive a provisional certification and enter a remediation period, during which the OSC has six-months to resolve any remediation-eligible problems, also known as plan of action and milestone (POA&M) items. If an organization completes those POA&Ms within the set timeframe, they’ll be eligible to receive full certification.

The bottom line.

It is important to remember that CMMC’s requirements are not limited to primary DoD contractors and applicability is not determined by the size of the organization. Understanding what is in and out of scope, the necessary level of certification, how CMMC applies to third-party suppliers or service providers, and what is needed to pass the assessment is complex and requires significant resources. Taking a hybrid approach that combines internal and external expertise will help OSCs ensure that their own organization, as well as their third-party suppliers, are compliant with all appropriate requirements, minimizing certification costs and operating strains.

About the Author

Matt Gilbert leads Baker Tilly’s cybersecurity maturity model certification (CMMC) and government contractor IT risk suite of services. His experience includes internal auditing, SOX compliance, information technology controls, business process controls and ERP risk and controls. Matt is actively engaged in supporting government contractors, grant recipients, state and local governments and federal agencies to navigate the CMMC requirements but has extensive experience supporting NIST 800-171 and 800-53-related assessments. Matt can be reached online at [email protected] and at Baker Tilly’s website, https://www.bakertilly.com/.