How CMMC is Changing Facility Security in 2021

It’s been nearly a year since the Cybersecurity Maturity Model Certification (CMMC) went into effect. Announced by the Department of Defense (DoD) in 2019, the program is an ambitious effort to consolidate security regulations across the Defense Industrial Base (DIB) and supplant the more familiar NIST SP 800-171. Now, implementation is well underway, and the certification will soon appear on contracts.

Through mandatory third-party audits and a five-tier security scale, CMMC promises greater accountability and better protection in a world of emerging threats. But the transition to CMMC has not been without difficulty, and in 2021, many are still unsure what it entails. What is changing under the DoD’s latest security regulation, and how does it impact facility security officers (FSOs)?

In this article, we will answer these questions and many more, beginning with some background.

New Struggles, New Solutions

Security risk in cleared organizations has been steadily rising for the past few years thanks to the Internet of Things (IoT) adoption, remote employment, the IT/OT convergence, and many other factors. Last year’s SolarWinds attack demonstrates how modern threat actors can compromise multiple government agencies through a single attack.

In these new circumstances, it is crucial for government contractors to apply security controls that comply with regulations like NIST 800-171. But in 2018, a study from the MITRE determined that most defense contractors had failed to meet this standard.

In 2019, the CMMC was introduced as a way to increase compliance throughout the DIB with two main goals. First, it supplements previous regulations with new security controls that address developing threats. Second, it mandates periodic audits by Certified Third-Party Assessment Organizations (C3PAOs) for contractors to remain certified.

The last change is significant. In the past, cleared organizations only had to submit a self-assessment to be eligible for sensitive contracts. The CMMC creates a system of oversight that will prevent security violations and raise accountability.

How CMMC Works

The CMMC rule went into effect in December of 2020 under a five-year rollout plan. Between now and 2025, the DoD will be fleshing out the requirements of CMMC and training accredited inspectors through the CMMC Accreditation Body.

In its current state, CMMC incorporates the security controls and practices contained in NIST 800-171 with the objective of protecting Controlled Unclassified Information (CUI). It also introduces new controls across multiple security domains, including Risk Management, Access Control, Personnel Security, and others.

CMMC is divided into 5 levels of security with different standards of protection:

  • Levels 1 – 3 – correspond to Basic, Intermediate, and Good “Cyber Hygiene”. Level 3 is roughly equivalent to NIST 800-171 in terms of difficulty, with 130 total security practices. It also requires documentation of security controls and a plan for maintaining compliance.
  • Level 4 – requires a “Proactive” cybersecurity program with enhanced security requirements. Organizations at Level 4 should be able to deal with “the changing tactics, techniques and procedures (TTPs) used by advanced persistent threat (APTs)” – or hacking groups.
  • Level 5 – requires an “Advanced” cybersecurity program with optimized and proactive cybersecurity practices. Organizations at Level 5 should be able to protect CUI from sophisticated attackers.

Cleared organizations seeking CMMC certification must first identify and review the level of certification they hope to attain and configure their security environment accordingly. Then, they must undergo an assessment by a C3PAO and pass their audit.

While this last step is currently not possible (for reasons that will shortly be explained), organizations can prepare for CMMC certification now by implementing NIST 800-171 and reviewing the additional requirements for their desired CMMC level.

Bumps in the Road

New security regulations usually go through a period of trial and error, and the CMMC is no exception. First, the CMMC was released under an “interim rule” which requires organizations to submit NIST 800-171 self-assessments until the CMMC framework is fully implemented – and that may take a long time.

Before organizations can be certified by a C3PAO, enough independent assessors must be trained and certified to manage thousands of government contractors. But this process is ongoing, and only 360 individuals are expected to be trained by the end of 2021.

Second, complete certification standards beyond level 3 are currently unknown, and so are other details about CMMC. During a period of public comment, organizations indicated a lack of clarity regarding CMMC’s scope (does it apply to subcontractors?) and requested further guidance regarding the certification process.

Answers to these questions are still forthcoming. Fortunately, there is still time for contractors to prepare.

What FSOs Need to Know

Since CMMC incorporates requirements from NIST 800-171, it directly impacts FSOs who will play a key role in implementation processes. At levels 1 and 2, the Physical Protection portion of CMMC overlaps closely with previous regulations, including authorization of personnel, visitor check-in, protection of physical access devices (keys, locks, card readers), and more.

At level 3, CMMC introduces one additional requirement: cleared organizations must implement security controls to protect CUI at “alternate work sites,” such as private homes, hotels, and temporary office space. This particular requirement is timely: in the COVID and post-COVID era, remote employment has increased the potential attack surface of cleared organizations. The perimeter that FSOs need to protect has widened.

Lastly, until the third-party assessment process has been fully implemented, organizations that handle CUI must submit a NIST 800-171 self-assessment (the procedure is outlined in NIST Handbook 162). FSOs will generally be involved in this process since they understand the security requirements surrounding CUI storage, sharing, and protection.

The Only Tool You Need

Today, FSOs are on the front line of America’s fight for national security. In the growing tide of insider threats, malware attacks, and cybersecurity incidents, FSOs protect our nation’s most sensitive facilities from foreign actors, organized espionage and more. To do that, they must stay on top of emerging legislation including NISPOM and CMMC.

Fast track your CMMC compliance efforts with MathCraft’s Enterprise Security Suite, the industry’s most fully-featured software solution for security compliance in cleared organizations. With modules for visitor check-in, physical access, and more, it is always updated for compliance with the latest federal security legislation.


MathCraft’s software solutions are designed to give FSOs, CSOs and other security professionals everything they need to run a successful security program, comply with federal regulations like the CMMC, and effectively manage contract requirements. To learn more, request your free demo today!