CMMC 101

Understanding the Cybersecurity Maturity Model

Certification (CMMC)

www.hivesystems.io
© 2022 Hive Systems, LLC
A Little Bit of Background First
In the Beginning There Was CMMC 1.0
In November of 2020, an interim Defense Federal Acquisition Regulation Supplement
(DFARS) rule, titled Assessing Contractor Implementation of Cybersecurity Requirements
implemented DFARS clause 252.204-7021, Contractor Compliance with the Cybersecurity
Maturity Model Certification Level Requirement, was created. This clause implemented the
initial version of what became the first Cybersecurity Maturity Model Certification (CMMC
1.0).
CMMC 1.0 was developed by the Department of Defense (DoD) to help standardize the
cybersecurity requirements for companies doing business with the DoD. Prior to this, there
was an inconsistent
patchwork of policies and
standards across private
sector companies that
left the DoD responsible
and understand its
exposure and risk. The
program included
cybersecurity standards
for prime contractors and
subcontractors in the
defense industrial base
(DIB) and provides a
framework for the
assessment and
certification of contractor
and subcontractor cybersecurity controls. CMMC incorporates the standards and
certification program into acquisition programs to provide the DoD assurance that
contractors and subcontractors are meeting DoD’s cybersecurity requirements.
CMMC 1.0 was, by and large, criticized for its complexity, with cybersecurity process and
practice expectations that were out of touch with industry best practices in the private
sector for how companies implement effective cybersecurity controls. CMMC 1.0 consisted
of 5 increasingly progressive levels from Basic to Advanced, but really, Level 2 and Level 4
were considered “transition” levels. These interim stages added requirements for
Controlled Unclassified Information (CUI) and Advanced Persistent Threats (APT) from NIST
SP 800-171 and NIST SP 800-172. As such, they needed to be considered by the
cybersecurity program and incorporated into planning, but were not necessarily mature in
practice and implemented and measurable as in Level 3 for CUI controls (NIST SP 800-171)
or Level 5 for further APT focus (NIST 800-172). As a result of this multi-stage, progressive

1
process, much of the requirements for CMMC 1.0 were confusing, and the DoD found that
even the communication of the requirements and expectations from its own cybersecurity
and acquisitions leaders to contractors and subcontractors was confusing and
inconsistently provided. Further, CMMC 1.0 defined several unique maturity processes that
were challenging for companies to interpret and implement if they were already following
other industry and government standards.
Beyond the challenges of confusing cybersecurity requirements mapped to what seemed
to be arbitrary, or at least inconsistently communicated requirements sets, CMMC 1.0 did
not allow for the use of Plan of Action and Milestones (POA&Ms) or “Risk Waivers” when
seeking certification. This effectively provided contractors and subcontractors with no
ability to address non-compliance through reasonable remediation planning, and instead
resulted in contractors struggling to demonstrate compliance with all required
cybersecurity practices and processes, and unnecessarily delaying certification assessment
out of fear of failure. Both DoD cybersecurity and industry representatives agreed this was
too inflexible and did not properly account for nuance and non-applicability of certain
cybersecurity practices across a broad range of contractor / subcontractor systems and
services, nor good faith efforts to remediate without holding up the acquisition process.
Finally, in a shift from most risk-based frameworks and standards that allow some level of
self-assessment and reporting for low-risk systems, CMMC 1.0 accepted only independent
third-party assessment for certification. This not only was a shift from the norm, but also
created a heavy cost and resource burden for even those contractors and subcontractors
seeking the lowest Level 1 certification. In many cases these assessments provided little
assurance for the DoD over self-assessment of these lower maturity level providers.

New and Improved - it’s CMMC 2.0!

In March 2021, the DoD initiated an internal assessment of the CMMC 1.0 implementation,
performing internal review and seeking comment from the public on the interim DFARS
rule. After receiving nearly 850 comments, as well as feedback from key DoD leaders, the
DoD released an updated CMMC framework known as CMMC 2.0.
CMMC 2.0 streamlined the framework from both a requirements and standards
perspective, doing away with much of the unique practices and processes that comprised
much of CMMC 1.0, aligning the requirements with established cybersecurity frameworks
including NIST SP 800-171 and NIST SP 800-172. In addition to streamlining the
requirements, CMMC 2.0 removed two of the compliance levels from CMMC 1.0. The
overall compliance levels are still progressive, but now instead of 5 levels including two
transitionary levels, CMMC 2.0 retains just three levels: Level 1 (Foundational); Level 2
(Advanced); and Level 3 (Expert).

2
Because of the streamlining of the requirements to meet each compliance level, and the
required CMMC certification level being included in solicitation documentation, it is now
clearer to companies what requirements they’ll be on the hook for at a given level:
❯ Level 1: Companies at Level 1, the Foundational level, handling Federal Contract
Information (FCI) only will need to meet 17 core cybersecurity practices retained
from CMMC 1.0 as identified in 48 CFR 52.204-21

❯ Level 2: Companies at Level 2, the Advanced level, handling Controlled Unclassified

Information (CUI) will need to implement and meet the requirements for the 110
cybersecurity practices (i.e., controls) from NIST SP 800-171.

❯ Level 3: Companies certifying at Level 3, the Expert level, handling CUI and of the
highest priority will need to implement and meet the requirements for 110+
cybersecurity practices from NIST SP 800-172.

By eliminating the
DoD-specific maturity
processes and instead
moving toward established
standards, companies are
more readily prepared to
meet the requirements of
CMMC. With far less
duplicative, cost-bearing
efforts in the process,
many companies are now
seeking CMMC certification
with clearer guidance. And
for those companies that were already aware of, or were already working toward
compliance with NIST SP 800-171 and NIST SP 800-172 as part of prior federal guidance for
contractors and subcontractors handling CUI, the path is even clearer.

Industry Aligned Cybersecurity Practices At Last

With the sunset of CMMC 1.0 certification levels and its confusing cybersecurity practices
and maturity processes, the shift to a model based on NIST SP 800-171 and 800-172 will
make identifying the requirements across the three CMMC 2.0 certification levels much
easier. Currently that is true for Level 1 and Level 2 scopes. Unfortunately, as of this
writing, Level 3 cybersecurity practice requirements are still in development, as are the
scoping and assessment guidance related to them. If you’re wondering what the
requirements look like in practice, check out the table below outlining the 17 CMMC 2.0
cybersecurity practice requirements for Level 1, which cover the minimum requirements to
protect a company and its information systems:

3
 Level 1 (Foundational) Practices
AC.L1 - 3.1.1 PE.L1 - 3.10.4
Limit information system access to authorized Maintain audit logs of physical access.
users, processes acting on behalf of
authorized users, or devices (including other
information systems).

AC.L1 - 3.1.2 PE.L1 - 3.10.5

Limit information system access to the types Control and manage physical access devices.
of transactions and functions that authorized
users are permitted to execute.

AC.L1 - 3.1.20 SC.L1 - 3.13.1

Verify and control/limit connections to and
use of external information systems.
Monitor, control, and protect organizational
communications (i.e., information transmitted
or received by organizational information
systems) at the external boundaries and key
internal boundaries of the information
systems.

AC.L1 - 3.1.22 SC.L1 - 3.13.5

Control information posted or processed on Implement subnetworks for publicly
publicly accessible information systems. accessible system components that are
physically or logically separated from internal
networks.

IA.L1 - 3.5.1 SI.L1 - 3.14.1

Identify information system users, processes Identify, report, and correct information and
acting on behalf of users, or devices. information system flaws in a timely manner.

IA.L1 - 3.5.2 SI.L1 - 3.14.2

Authenticate (or verify) the identities of those Provide protection from malicious code at
users, processes, or devices, as a prerequisite appropriate locations within organizational
to allowing access to organizational information systems.
information systems.

MP.L1 - 3.8.3 SI.L1 - 3.14.4

Sanitize or destroy information system media Update malicious code protection
containing Federal Contract Information mechanisms when new releases are available.
before disposal or release for reuse.

PE.L1 - 3.10.1 SI.L1 - 3.14.5

Limit physical access to organizational Perform periodic scans of the information
information systems, equipment, and the system and real-time scans of files from
respective operating environments to external sources as files are downloaded,
authorized individuals. opened, or executed.

PE.L1 - 3.10.3
Escort visitors and monitor visitor activity.

4
For Level 2 certification, the 110 controls within NIST SP 800-171 constitute the scope of
cybersecurity practices. You can review the scoping guide for each level using the CMMC
2.0 Practice Spreadsheet and Mapping available on the DoD’s CMMC website.

Updated Assessment Requirements

As part of the updates to CMMC 2.0, the DoD also revised the assessment requirements for
the streamlined certification levels:
❯ Level 1: Contractors and subcontractors attempting to certify at the Level 1
Foundational certification level are now only required to perform an annual
self-assessment. This is far more achievable for companies in this nascent state
from a cost and resource perspective.
❯ Level 2: Those companies certifying at the Level 2 Advanced certification level can
either:
❯ Be required to submit annual self-assessments if selected by DoD
cybersecurity and acquisitions management based on the assessed risk of
the services provided and data handled; or
❯ Be required to perform triennial third-party assessments if handling
(accessing, storing, processing, or transmitting) National Security Information
(NSI).
❯ Level 3: For those companies seeking to certify at the Level 3 Expert certification
level, their assessment burden has also changed quite a bit from a triennial
third-party-led assessment to triennial government-led assessments. The DoD felt
that the likely mission critical nature of systems and services provided by
contractors or subcontractors certifying at Level 3 warranted a higher level of
oversight than under CMMC 1.0 and determined the best way to accomplish this
was through government-led assessments rather than relying on third-partying
assessments.

A Few More Changes

In addition to the changes to the practice and assessment requirements, CMMC 2.0 also
contains a few additional changes from the original framework:
❯ POA&Ms: Under CMMC 2.0, the program will allow limited use of POA&Ms by
companies seeking certification. They will be time-bound (likely 180 days from the
POA&M creation date) and contractually enforced. The program will not allow
POA&Ms for some high-weighted requirements and establishes a “minimum score”
requirement to support certification with any open POA&Ms.
❯ Risk Waivers: Risk waivers will be accepted on a very limited basis in very specific
mission-critical circumstances. The certifying company must submit the waiver
request including risk mitigation strategies to their Government Program Office

5
 (PO). The Government PO will submit the waiver request package for senior DoD
approval. Further, such waiver requests must be time-bound which will be
considered and stipulated on a case-by-case basis.

Tackling CMMC for Your Company

“When do I need to become CMMC certified, and at what level?”
Fortunately, if your company was reviewing the old CMMC 1.0 guidance and was trying to
make sense of it, things are clearer. While you may have been trying to determine what
support and efforts needed to be made to bring yourself into compliance within the
five-year phase-in period, the DoD placed a moratorium on CMMC requirements in DoD
solicitations. Only select contracts participating in pilot programs are required to comply
with CMMC 2.0.
The DoD does not intend to approve inclusion of a CMMC compliance requirement in any
contract prior to completion of the CMMC 2.0 rulemaking process. Such rulemaking
processes can take anywhere from 9-24 months. Once CMMC 2.0 is codified through
rulemaking, the DoD will require companies to adhere to the revised CMMC framework
according to requirements set forth in regulation. It is expected a phase-in period will be
established similar to when CMMC 1.0 was codified.
Companies will be able to identify what CMMC certification level, if any, is required to do
business with the DoD from the solicitation information. The DoD indicated it will include
the required CMMC certification level in all solicitation documentation, including in any
Requests for Information (RFIs) utilized.

“What are the CMMC Accreditation Body (CMMC-AB) and CMMC

Certified Assessors?”
The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of
assessors that can deliver consistent and informative assessments to participating
companies. No company can become a CMMC Third-Party Assessor Organization (C3PAO)
and no individual can become a CMMC Certified Assessor (CCA) without first going through
the training process managed by the CMMC-AB. The body does not endorse or promote
any company that is not included in its marketplace of pre-approved partners.
CMMC requires that any third-party assessor or C3PAO be certified and licensed by the
CMMC-AB to meet the requirements to perform assessments on behalf of companies
seeking CMMC compliance certification. The CMMC-AB provides two credentials for
professionals seeking to become certified assessors (the first being a prerequisite to the
second):

6
 Certified CMMC Professional (CCP) Certified CMMC Assessor (CCA)

✓ Eligible to become a Certified CMMC ✓ Credentialed to conduct CMMC L2

Assessor assessments

✓ Authorized to supervise Certified

✓ Credentialed to participate on CMMC
CMMC Professionals in the conduct
L2 assessments
of L2 assessments

✓ Valuable for an employee with

✓ Valuable credential as an employee
training who may be overseeing or
with the training to understand the
supporting government-led
requirements of CMMC for a DoD
assessments for L3 contractors /
supplier
subcontractors

✓ Authorized to use the Certified ✓ After completing 3 assessments

CMMC Professional logo Authorized to use the CCA-2 logo

✓ After completing 3 assessments

✓ Listed in the CMMC-AB Marketplace
Authorized to use the CCA-2 logo

Additionally, for companies to qualify and be certified as a C3PAO, they must meet the
requirements for certification as outlined by the CMMC-AB, including (eventually) achieving
CMMC Level 2 certification themselves. Depending on what level certification your
company is aiming to achieve, you may need to budget to have a C3PAO assist you with
assessing your compliance with the CMMC required practices.

“Where can I get help navigating and meeting the CMMC

requirements?”
You’ll need to start by finding a trusted advisor who can provide a flexible approach
customized to your company’s individual CMMC needs, bearing in mind that your company
is unique from others - with a different set of priorities, different resource constraints, and
a different culture. Your advisor should partner with you to understand your needs and
tailor the service delivery in a way that meets your business requirements and
cybersecurity objectives.
So whether your company is exploring CMMC certification for the first time, just wants to
see just where you stand as far as certification readiness, or have already passed the point
of readiness and are currently focused on remediation in preparation for an upcoming

7
C3PAO assessment, your trusted advisor should be knowledgeable, approachable, and
flexible.

Expert CMMC Support

About Hive Systems
Hive Systems brings multiple decades of direct cybersecurity
controls experience leading both the development and
implementation of effective cybersecurity controls, processes,
and technologies. Our work has directly supported private
sector companies seeking to provide services to the civilian,
healthcare, intelligence, and Defense Industrial Bases (DIB).
Hive Systems has extensive experience assisting companies
both large and small with their NIST SP 800-171 and 800-172,
FedRAMP, DoD Risk Management Framework (RMF), and
CMMC compliance assessment and readiness efforts.
Our team of approachable experts have not only supported commercial companies with
their public sector compliance needs, but also have worked directly with federal
government agencies. Our work has included leading and managing information security
and privacy audits and assessments of federal agency’s contractors and subcontractors
against numerous federal cybersecurity control frameworks. This experience - covering
both sides of the same coin - allows us to provide you with not only the subject matter
expertise you need to reach your compliance objectives, but also the perspective of the
“auditor” and the ability to effectively provide “audit ready” solutions that are tailored
specifically to your unique business needs.
Additionally, Hive Systems, through its strategic partnership with a recognized CMMC
C3PAO, can help customers meet their CMMC certification assessment needs from top to
bottom.

Our Approach
Hive Systems’ CMMC Readiness Assessment focuses on examining your company’s
organizational cybersecurity controls and those specific to the services or products you
intend to bring to market for the Defense Industrial Base (DIB) through the lens of CMMC
2.0. Our team of experts will guide you through information gathering relevant to the
assessment of the CMMC practices, working hand-in-hand with your team to develop a
current state view of the design and implementation of in-scope cybersecurity processes
and practices. Once that initial scoping is developed, our team will identify and document
the gaps between the current state and the desired CMMC certification level requirements,
while providing you with actionable and tailored remediation plans. Our team will also

8
provide you with customized reports on compliance across various stakeholder levels,
deleting both low-level detail reports with concise and actionable information for your
technical stakeholders to facilitate remediation, and executive-level reports highlighting the
outcomes of the assessment, key insights and takeaways from the effort, and areas of
interest to help drive business decision making and prioritization efforts.

A Phased Readiness Assessment Approach

Our Expert Remediation Support services focus on the “after the readiness assessment”
activities. Hive Systems takes gaps and recommendations identified during the previous
readiness assessment and works directly with your technical stakeholders to develop
detailed, meaningful
remediation plans. Hive
Systems will help you
identify and understand the
risk of the gaps so you can
prioritize your remediation
efforts more effectively and
better understand your
options to reach a compliant
state. We’ll help you develop
and execute on successful
action plans to facilitate
timely and cost-effective
remediation that is in line
with your priorities, integrates seamlessly in your ongoing efforts, and fits into your
overarching cybersecurity strategy.
Our team of experts also have in-depth knowledge of cybersecurity controls, processes,
and the latest technology to provide end-to-end support in remediation. This isn’t just an
audit report being thrown on your desk - this is a full stack solution to your CMMC needs.
We’ll help you with implementation to ensure your remediation efforts and
implementations are:
❯ Completed without negative impact to your business
❯ Fully compliant with the requirements of the CMMC certification level targeted, and
❯ Provide measurable improvements to your cybersecurity program and posture.

9
More About Hive Systems
Hive Systems provides smarter cybersecurity solutions with our trusted experts. Leveraging
our collective experience, we promote a true partnership by understanding what makes
your organization unique to help evaluate your cybersecurity strengths and vulnerabilities.
Together, we’ll develop a risk reduction strategy that best utilizes your existing investments,
including both technology and people, to keep your information secure anywhere - so you
can reduce risk everywhere. Through Hive Helps, we offer pro bono consulting services to
qualified non-profit organizations and communities to ensure that limited resources don’t
stand in the way of social progress.
So whether you know exactly what you need or have absolutely no idea, we love to talk
about cybersecurity. And if you need help with something that we didn’t discuss in this
whitepaper, there’s a good chance we can help with that too. Contact us directly and let’s
talk more about how Hive Systems can help make cybersecurity approachable for you and
your company.

Andrew Bradley Alex Nette

Director, Cybersecurity Services CEO and Co-Founder
andrew.bradley@hivesystems.io alex.nette@hivesystems.io
804-471-3126 804-396-4720

Find out more about us online at www.hivesystems.io, and while you’re there, check out:

❯ Read the ACT Blog where you can learn about the latest trends and concerns
sweeping the cybersecurity world.
❯ Watch Hive Live and check the newest episodes featuring our experts and panelists.
❯ Read our story to learn more about us and how we’re making cybersecurity
approachable.
❯ Learn about Hive Helps where we provide pro bono consulting to qualified
non-profit organizations and charities.

10
Disclaimer
The opinions expressed are in good faith and while every care has been taken in preparing
this document, Hive Systems, LLC makes no representations and gives no warranties of
whatever nature in respect of this document, including but not limited to the accuracy or
completeness of any information, facts, and/or opinions contained therein.
Hive Systems, LLC, its subsidiaries, officers, employees, and agents cannot be held liable for
the use of and reliance of the opinions, strategies, and findings in this document.

www.hivesystems.io
© 2022 Hive Systems, LLC