CMMC 2.0 Quick-Start Guide for Defense Contractors

CMMC 2.0 compliance is by no means simple, but it's essential for organizations in the defense industrial base who are entrusted with controlled unclassified information (CUI) as part of their work with the U.S. federal government.

Discussions and debates about CMMC (Cybersecurity Maturity Model Certification) have echoed through the defense community for several years now, as the CMMC standard itself has evolved, and the implementation timeline has slowly crept forward. 

But, now, CMMC 2.0 enforcement is imminent: Signs point to CMMC 2.0 being included in defense contracts as early as Q4 2024. Defense organizations need to start addressing CMMC 2.0 controls now in order to demonstrate cybersecurity compliance and secure future government contracts.

Want to fast-forward to how Virtru can help you meet 27 of the 110+ security controls? Click here to skip straight to the good part. If you want more CMMC context and DoD resources, read on. 

Refresher: What Is CMMC, and Why Is It Important? 

CMMC stands for the Cybersecurity Maturity Model Certification program. CMMC is defined as a set of data protection standards established by the U.S. Department of Defense to ensure the protection of controlled unclassified information (CUI) by defense contractors. 

Put simply, CMMC is a set of rigorous security standards that defense contractors must meet in order to do business with the federal government moving forward. At the time of writing, it is in the rulemaking phase and not yet being enforced, but that time is quickly approaching. 

The DoD has established CMMC as a robust set of cybersecurity requirements to ensure that, if a private organization does business with the federal government, and handles CUI as part of that work, that organization needs to demonstrate that it can be trusted with that data. CMMC compliance demonstrates tight security protocols for protecting sensitive information across its life cycle. 

What Are the 3 Levels of CMMC? 

The 3 levels of CMMC are increasingly progressive, with 1 being the most basic, and 3 being the most heavily regulated. According to the DoD CIO CMMC Assessment guide, Level 1 and a subset of Level 2 generally apply to contractors who do not handle information deemed critical to national security, and can therefore perform annual self-assessments against a clear set of cybersecurity standards, attesting to the DoD that these requirements have been satisfied.

Organizations that will be handling information deemed critical to national security will need to undergo third-party assessments. This includes many Level 2 contractors.

Level 3 represents the highest-priority, most critical defense programs that require government-led assessments to ensure proper handling of highly sensitive defense information for national security. 

CMMC Level 1

CMMC Level 1 is the most basic and foundational level of CMMC compliance. For those tracking the evolution of the CMMC standard, CMMC 2.0 Level 1 is consistent with the guidelines originally set out in CMMC 1.0 Level 1, and is designed to be simpler for small organizations to meet, particularly if those organizations are not going to be managing information critical to national security. Level 1 does still require an annual self-assessment and an affirmation by the organization's executive leaders that attests the requirements are being met.

Recommended Reading: DoD CMMC Level 1 Self-Assessment Guide. 

CMMC Level 2

Level 2 is designed to protect information critical to national security, so it understandably represents a leap forward in terms of both effort and security requirements, encompassing 110 controls, aligned with NIST SP 800-171. It requires a third-party assessment every three years and an annual affirmation. Select programs require a self-assessment every three years and annual affirmation.  

Recommended Reading: DoD CMMC Level 2 Self-Assessment Guide. 

CMMC Level 3 

CMMC Level 3 represents the highest and most robust set of cybersecurity requirements, aligning with NIST SP 800-171 and 172. It also requires government led-assessments every three years as well as an annual affirmation. 

Recommended Reading: The CMMC Level 3 Self-Assessment Guide is still under development at the time of writing, but you can access all available documentation on the DoD CMMC Documentation website. 

The CMMC Fast Track: Address 27 of 110+ CMMC Requirements with Virtru

On a journey so long and complex as CMMC compliance, you need partners who can help you advance your program's maturity, as quickly and easily as possible.

Virtru Is Your Trusted Partner in CMMC 2.0

Just ask our CMMC customers like Rise8, Exxelia, a global engineering firm, a global energy innovator, and a manufacturing company who use Virtru to support compliance with CMMC, DFARS, and ITAR in both Google Workspace and Microsoft Outlook using client-side encryption and granular access controls. With the Virtru Private Keystore, they can also maintain complete control of their own encryption keys for maximum data ownership that shields data from cloud providers. 

Virtru Gives You a Jump Start on Your CMMC Compliance Journey 

Virtru addresses nearly a quarter of the 110+ total CMMC controls. Our CMMC 2.0 Data Security Checklist provides a detailed breakdown of the 27 controls where Virtru can support your CMMC compliance efforts.

Virtru is FIPS 140-2 Certified and FedRAMP Authorized

It's also important to note that the Virtru Data Security Platform is FIPS 140-2 Certified and FedRAMP Authorized at the Moderate level — so our data-centric security solutions allow you to confidently protect and share sensitive information in a manner that aligns with CMMC. 

Virtru Balances Seamless Ease of Use with Military-Grade Data Control 

Organizations that use Virtru are met with a seamless user experience that doesn't hold them back from collaborating and innovating. One of our customers, the Air Force Research Laboratory, uses Virtru for this exact reason. Here's what Dr. Dan Berrigan said about using Virtru for highly secure communications via Google Workspace: 

“We’ve ensured our tech stack facilitates the seamless exchange of ideas, accelerating our maturation cycles and the pace of innovation that AFRL must operate at,” says Berrigan. “When it comes to communicating with third-party partners, we believe frictionless collaboration holds the same level of importance as privacy, security, and compliance with governance controls... AFRL invests in its collaboration tool stack by using the Google Workspace suite to foster that simple, easy-to-use collaboration, along with Virtru’s client-side and server-side data protection to provide additional layers of security for sensitive information.”

How to Get Started with Virtru for CMMC

Ready to learn more about Virtru's CMMC-supporting data security solutions? Contact our team to start the conversation. If you want to dive deeper, read on. 

CMMC Resources for DoD Contractors

Because data-centric security and access control are both central to a strong CMMC compliance strategy, Virtru has been engaged with our customers and industry cyber leaders for years on this topic. Here are some of the resources we have created to help DoD contractors navigate this evolving landscape. 

Webinar: Clarifying CMMC and ITAR, Featuring ATX Defense

This webinar, featuring Zach Walker of ATX Defense, breaks down some of the complexities of CMMC compliance for fellow defense contractors, particularly when it comes to collaborating in Google Workspace or Microsoft 365. 

While many organizations assume they must remain on Microsoft to meet CMMC compliance, Google’s cloud can provide a more cost-effective and secure foundation – bolstered by third-party tools like Virtru – for maintaining the confidentiality and integrity of CUI and other sensitive data.

CMMC Compliance Checklist: Quickly Support 27 Controls for CMMC 2.0 Level 2, Aligned with NIST 800-171

This CMMC Checklist charts the 27 out of 110+ areas of CMMC that Virtru can support for your organization, across multiple practice areas.   

Webinar: Hear from CMMC Experts on the Front Lines

In this Virtru Voice of the Customer CMMC webinar, experts from Coalfire Federal, Summit Federal Services, and Chertoff Group share their insights on what goes into a CMMC maturation journey. Their experience on the front lines is invaluable for anyone seeking to bolster cybersecurity for national defense. 

You can also check out our recap: Defense Experts Help Chart the Path for CMMC 2.0.

Datasheet: Safeguard CUI to Prepare for CMMC 2.0 Compliance

This one-page CMMC collaboration overview breaks down how Virtru can help support CMMC 2.0 compliance with easy-to-deploy, easy-to-use client-side encryption for your everyday business workflows.

Podcast: CMMC 2.0 - Where Companies in the DIB Stand Today

In this CMMC podcast episode, Virtru's CMO, Matt Howard, and VP of Sales, Andrew Lynch, discuss what they're hearing from Virtru customers pursuing CMMC 2.0 compliance. 

CMMC FAQs 

What is the CMMC compliance deadline? 

CMMC 2.0 will likely begin to roll out in defense contracts starting in Q4 2024 or Q1 2025. At the time of writing, CMMC 2.0 is a proposed rule without an established enforcement deadline. CMMC compliance will be required for federal contractors in phases for the next several years as contracts are continually established and renewed. 

When is CMMC compliance required?

CMMC compliance will soon be required for defense organizations working on DoD contracts that involve sensitive CUI (controlled, unclassified information). CMMC ensures that highly sensitive information is properly handled and protected. 

What level of CMMC do I need to meet? 

The required CMMC level will vary depending on the scope of the project: When CMMC is formally rolled out, the required level will be noted in the RFI (Request for Information) on each contract.

What is CMMC vs NIST 800-171? 

CMMC and NIST SP 800-171 are two separate sets of data protection standards that are aligned, but not identical. CMMC was established by the DoD, and NIST standards are designed for organizations 

Is CMMC the same as DFARS?

No, but they are similar. Like CMMC, DFARS 7012 is rooted in NIST 800-171 standards, and it is designed to protect CUI. CMMC goes further, encompassing all of the DFARS rules and building upon them for DoD contractors. 

What are the 110 CMMC Requirements? 

The requirements of CMMC Level 2 can be found in the DoD CMMC Level 2 Assessment Guide.  These 110 CMMC controls cover multiple areas, including: 

• Access Control (AC)
  • Recommended Reading: ABAC, Anemones, and You
• Awareness and Training (AT)
  • Recommended Reading: I (Zero) Trust You: Building Trust in a ZT Security Environment
• Audit and Accountability (AU)
  • Recommended Reading: Audit and Control 
• Configuration Management (CM)
• Identification and Authentication (IA)
  • Recommended Reading: Maximize Your Zero Trust Identity Management by Tying Identity to Data
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
  • Recommended Reading: R1 Universities Meeting CMMC 2.0: Balancing Security and Innovation
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
  • Recommended Reading: The Complete Guide to Building an Insider Threat Program
• Security Assessment (CA)
• System and Communications Protection (SC)
  • Recommended Reading: Data-Centric Interoperability: How Zero Trust is Transforming Mission Partner Collaboration for the Department of Defense
• System and Information Integrity (SI)
  
  

What does CMMC cost? 

The costs of CMMC depend on the level you aim to achieve, and can vary depending on the vendors and partners you select. The DoD will publish CMMC cost estimates alongside the final rule when it is established, but it does estimate that CMMC level 1 (and a subset of level 2) will be more affordable, as they do not require a third-party assessment. Costs, understandably, increase with the CMMC levels as more protections need to be put in place. 

With that said, you can spend a lot on CMMC — especially with expensive software like Microsoft GCC High. But, there are ways to put more affordable protections in place without breaking the bank. As we referenced above, the Virtru Data Security Platform can help you address nearly 1/4 of the 110 CMMC Level 2 requirements, giving you a head start on your CMMC readiness posture. 

What are the 5 levels of CMMC?

CMMC no longer has 5 levels: With CMMC 2.0, the DoD has streamlined the 5 levels down to 3 (as levels 2 and 4 in the CMMC 1.0 framework essentially served as transitional levels). 

What is CMMC 1.0 vs. 2.0? 

CMMC 1.0 was the first version of CMMC. Upon receiving public comments around the framework's complexity, the DoD introduced CMMC 2.0 as a streamlined version of the standard that reduces that complexity and brings greater clarity to the requirements for each level. 

Recommended Reading: CMMC 2.0: What Changed, and What Are Your Action Items? 

Next Steps: Virtru Can Support Your CMMC Compliance Journey

If you're ready to start checking CMMC controls off your list, get in touch with Virtru: We provide powerful, data-centric security and fine-grained access controls that safeguard sensitive data at every point of its lifecycle. You also have options to manage and host your own encryption keys, on-prem or in a private cloud, or in the location of your choosing. 

We'd love to discuss your CMMC strategy and goals with you: Contact our team today to get the ball rolling, and get closer to meeting your CMMC objectives.