An Overview of CMMC for Defense Contractors

Data exfiltration is a growing concern among businesses and governments alike. After all, data is the most valuable asset second to people that an organization has. The Cybersecurity Maturity Model Certification (CMMC) is the government’s response to data exfiltration. It’s an attempt to bolster cybersecurity among the defense industrial base (DIB) and is becoming a requirement for defense contractors performing work for the Department of Defense (DoD).

What is CMMC?

The primary objective of the CMMC framework is to better protect controlled unclassified information (CUI). CUI is defined as any information the government creates or possesses or that another entity creates or possesses on its behalf. CUI can be incredibly sensitive in nature as it includes things like infrastructure plans, import controls, nation-state intelligence, legal and myriads of other important data. In the past, contractors were expected to execute due care in the implementation of security controls on their Information Technology (IT) systems or the information transmitted by these systems. The CMMC still requires this, but additionally necessitates 3rd party assessment of a contractor’s compliance with certain mandatory procedures.

Now, we know what you might be thinking “oh no- yet another bureaucratic mandate to follow.” However, the goal of CMMC compliance is not to burden your organization but protect it and our nation against the rapidly evolving threat landscape. The government knows most organizations do not have the resources for a full-fledged threat hunting team to help profile its organization’s threat landscape and then decide what threats should be prioritized. This is why the CMMC was created with input ranging from universities to industry research centers. There are 5 certification levels that reflect the maturity of a contactor and the data it handles. The idea behind this is to eliminate unnecessary time and resource allocation towards cyber risk you organization is exempt to, however, it is encouraged to obtain the highest level possible.


Level 1 Basic Cyber Hygiene

Safeguard using universally accepted cyber guidelines

Level 2 Intermediate Cyber Controls

Transition into cyber maturity to protect CUI

Level 3 Adequate Cyber Controls

Protect CUI data, includes coverage of all NIST SP 800-171 controls

Level 4 Proactive Cyber controls

Provide sophisticated security practices

Level 5 Advanced Practices

Protect CUI and reduce the likelihood of Advanced Persistent Threats


CMMC is intended to be more cost-effective and achievable for small to medium-sized businesses than NIST SP 800-171. However, significant investment will still be required for organizations without a formalized cybersecurity program. DoD contractors already adhering and self-attesting to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, released in October 2016, will not have too many extra hoops to jump through to reach CMMC compliance. The controls in DFARS are outlined in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and of them CMMC will only require four additional domain controls not listed; these are:

  1. Asset Management
  2. Cybersecurity Governance
  3. Recovery
  4. Situational Awareness

What actions should DoD contractors take now?

DoD contractors should start learning the technical CMMC requirements as well as begin preparing for certification. Even though CMMC compliance is not yet required for government contractors, it is already being phased in. September 2020 was the official date that organizations started to see CMMC listed in Request for Information (RFIs) and Request for Proposals (RFPs). Moving into 2021 we can easily anticipate seeing more CMMC on government contracts. The presence of a mostly remote workforce and increased cyber-attacks due to COVID-19 is also a reason why the CMMC framework will be highly sought after by the DoD.

The earlier organizations get involved with CMMC consultants the more efficient and progressive results will be. This will additionally allow ample time to achieve the highest certification level possible for an organization. It is very plausible to expect that contractors who do not show interest in CMMC will be unable to meet minimum contract requirements and thus, be unable to compete for work despite their long-standing record of services. However, contractors need to understand that achieving CMMC certification should not be the end goal, but the ability to defend against evolving threats is. CMMC is not a silver bullet for vendor cybersecurity, but a turning point to transform their internal security culture for the short and long term.

Silent Sector recognizes organizations who pursue CMMC will be best positioned to compete in the competitive contractor market and will be better able to reduce their cyber-related risk. Our proven track record of supporting companies with requirements like CMMC and others enables us to lead your organization to its desired level of certification. Interested in what it takes? Contact Silent Sector today to schedule a consultation.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.