Understanding CMMC: Levels, Requirements, and Who Needs It — Plus the Top 20 Companies Likely to Need CMMC

The Cybersecurity Maturity Model Certification (CMMC) framework is a critical initiative by the U.S. Department of Defense (DoD), designed to secure sensitive defense information across its supply chain. This certification aims to protect Controlled Unclassified Information (CUI) from unauthorized access and cyber threats. This article provides an in-depth understanding of CMMC’s architecture, the requisite standards for each level, and identifies top 20 companies that will likely require this certification.

1. What Is CMMC?

CMMC unifies cybersecurity standards for the Defense Industrial Base (DIB), encompassing contractors and suppliers to the DoD. It advances existing regulations such as DFARS and NIST SP 800-171, incorporating necessary third-party evaluations.

Key Objectives

• Protect CUI: Ensure controlled unclassified information remains secure.
• Standardize Requirements: Shift from self-attestation to a tiered, standardized approach.
• Strengthen National Security: Minimize risks across various suppliers.

2. CMMC Levels: A Tiered Cybersecurity Approach

The CMMC 2.0 version introduces three main levels of certification, each built on lower-level standards and practices.

Level 1: Foundational

Who It’s For: Companies handling Federal Contract Information (FCI), usually smaller firms providing non-critical services.

• Practices: 17 basic cybersecurity practices according to FAR 52.204-21.
• Assessment: Self-assessment required annually.

Level 2: Advanced

Who It’s For: Contractors that manage CUI needing to comply with NIST SP 800-171.

• Practices: 110 controls from NIST SP 800-171.
• Assessment: Required every three years via a C3PAO.

Level 3: Expert

Who It’s For: Entities managing highly sensitive DoD data.

• Practices: Based on advanced NIST guidelines such as SP 800-172.
• Assessment: Conducted through government audits for high assurance.

Key Note: Each certification level examines specific systems that handle DoD information.

3. What’s Required at Each Level?

Level 1: Basic Cyber Hygiene

• Antivirus software deployment
• Regular password updates
• Unique user ID access control
• Secure configurations for IT hardware/software

Level 2: NIST SP 800-171 Compliance

• Role-based access and multi-factor authentication
• Documented incident response plans
• Thorough configuration management
• Media protection and data encryption

Level 3: Expert-Level Security

• Real-time intrusion detection
• Automated vulnerability scanning and patching
• Advanced data governance
• Customized measures for APTs

4. Who Will Need CMMC Certification?

• Prime Contractors: Major defense manufacturers handling large volumes of CUI.
• Subcontractors: Smaller entities touching sensitive data.
• IT and Cloud Providers: Managed IT and cloud services firms for DoD projects.
• Engineering and Design Services: Entities involved in CAD design or prototyping.

Essentially, entities handling DoD contracts or subcontracts with FCI or CUI must achieve the appropriate CMMC certification level.

5. The Top 20 Companies Likely to Need CMMC

The following 20 major defense firms or primary contractors showcase significant motivation to pursue or maintain CMMC certification:

1. Lockheed Martin
2. Boeing
3. Northrop Grumman
4. Raytheon Technologies
5. General Dynamics
6. BAE Systems
7. L3Harris Technologies
8. Textron
9. Leidos
10. United Technologies (Collins Aerospace, Pratt & Whitney)
11. SAIC
12. Booz Allen Hamilton
13. CACI International
14. Huntington Ingalls Industries
15. Aerojet Rocketdyne
16. Kratos Defense & Security Solutions
17. Parsons
18. General Atomics
19. Oshkosh Defense
20. Sierra Nevada Corporation

Note: Even smaller subcontractors providing components to these companies must also comply with CMMC.

6. How to Prepare for CMMC: Steps to Achieve Readiness

1. Assess Current Compliance Posture

• Conduct gap analysis relative to NIST SP 800-171 or applicable CMMC level.
• Identify specific systems handling CUI.

2. Develop a System Security Plan (SSP) and POAM

• Create a System Security Plan that documents cybersecurity practices.
• Establish a Plan of Action & Milestones for addressing gaps.

3. Implement Technical Controls

• Utilize Multi-Factor Authentication for account security.
• Ensure FIPS-validated modules for data encryption.
• Deploy monitoring tools for real-time threat detection.

4. Staff Training & Policies

• Conduct regular phishing simulations and security training.
• Run incident response drills.

5. Plan for the Official Assessment

• Engage a C3PAO for Level 2 or higher assessments.
• Maintain organized documentation for evaluation.

Conclusion

The integration of ITAR and CMMC is vital in protecting U.S. defense data, focusing on physical data export control for ITAR versus cybersecurity measures for CMMC. For entities seeking or maintaining DoD contracts, gaining CMMC certification is crucial. Whether a major contractor like Lockheed Martin or a smaller subcontractor, aligning with CMMC ensures progress and eligibility for future defense opportunities.

Action Steps to Consider:

1. Identify if your firm handles FCI or CUI and determine the necessary CMMC tier.
2. Conduct a detailed security gap analysis and methodically address discrepancies.
3. Plan your assessment in coordination with a C3PAO if required.

Achieving compliance reinforces enterprise readiness for valuable defense contracts, securing trust and enhancing national defense integrity.