gtag('config', 'UA-163235999-1');

What DIB companies need to know now to prepare for Cybersecurity Maturity Model Certification

So, maybe you’ve heard of the newest CMMC compliance regulations for Department of Defense (DoD) contractors and thought, “I’ll check it out later- I’m only a subcontractor, and CMMC doesn’t apply to my organization.”

Here’s what you need to know about CMMC


The new CMMC compliance regulations now apply to your organization. If you are a subcontractor for any part or service in the DOD supply chain – you will be required to obtain some level of CMMC certification.

Additionally, there’s no more ‘checking the boxes’ to confirm your adherence to compliance standards and your ability to safeguard protected information.

If you’re not yet 100% compliant with the CMMC regulations, you may risk losing revenue.

In this brief overview of CMMC compliance for DOD subcontractors, you’ll come to understand the changes and what they’ll mean to your operations.

Let’s dive in!

What Is CMMC Compliance for DoD Subcontractors?

The CMMC (Cybersecurity Maturity Model Certification) is a compliance certification designed by the Department of Defense (DoD). It was first enacted in January 2020 to decrease criminal activity that costs the US economy annually.

The new framework serves as a guide to help businesses working with the government enact unified cybersecurity standards.

The DoD thereby aims to protect the following information.

Federal Contract Information (FCI): This is information provided by the government or generated for them under contract. Details at this classification level aren’t intended for public release.

Controlled Unclassified Information (CUI): This information requires dissemination controls or safeguarding consistent with government-wide policies, laws, and regulations.

In November 2021, the DoD will introduce new regulations. Between 2021 and 2026, all new contracts will require verification for all companies in the DIB chain.

The CMMC incorporates requirements from various pre-existing frameworks. It includes NIST, ISO, and AIA policies. A non-profit board of academic and industry partners will update the new standard.

Do Subcontractors Need to Comply With the CMMC?

In short, yes. No one that wants to do business with the Department of Defense is exempt from requiring CMMC certification.

Every part of the supply chain involves some degree of certification. The exact level depends on the type of organization and the information they hold.

So far, the new standard is not entirely in force. But once it is, a lack of certification will make it impossible to get DoD contracts. You will also need to get certified before applying for a contract.

The 5 Certification Levels of CMMC

The CMMC framework is broken up into 17 large topic areas called domains, which include practices and processes with varying maturity levels:

  • Access control
  • Asset management
  • Awareness and training
  • Audit and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Recovery
  • Risk management
  • Security assessment
  • Situational awareness
  • System and communications protection
  • System and information integrity

The framework is measured in five levels that reflect the reliability of a company’s cybersecurity infrastructure.

Level 1 (Basic): Performed

This certification level represents basic cyber hygiene, which is usually already implemented by the majority of organizations.

It requires basic controls for essential security and will be required by contractors that hold or process mildly sensitive content. Level 1 is intended for protecting FCI only.

Level 2 (Intermediate): Documented

The second level represents a transition stage to protect more sensitive content, including Controlled Unclassified Information (CUI).

Level 2 is mainly based on the requirements outlined in NIST 800-701. With this certification level, you can hold or process FCI and some CUI.

Level 3 (Good): Managed

This level requires a reasonable standard of cyber hygiene. It will be most applicable to established organizations and require all 110 NIST controls. Additionally, it will need 20 further controls from several sources.

If you need to hold or process CUI for your contracts, this will likely be the certification level you require.

Level 4 (Proactive): Reviewed

At this certification level, contractors take a proactive approach to measure, identify and block threats. This includes Advanced Persistent Threats (APTs).

Level 5 (Progressive): Optimized

Only contractors with fully mature cybersecurity functions across all 43 capabilities will be certified at this level.

Which Certification Level Will You Require?

Since October 2020, new DoD contractors have to be certified by an assessor or C3PAO. Already established contractors have a little more time, as the whole framework is not yet enforced across all contractors.

However, if you want to bid on new contracts, you’ll have to certify at level 1 at least. Depending on what information you handle, you might require a higher level.

The Certification Process for CMMC

No self-assessment option is available when it comes to certifying for CMMC levels. Certifications can only be provided by individual certified assessors or third-party assessor organizations listed on a public list of approved assessors.

The costs will depend on the maturity level required and the complexity of your network, as well as other market forces. Organizations that successfully gain a DoD contract will be able to expense a part of the certification cost.

The exact examination process is currently unknown. Still, the whole certification process will likely take six-seven months.

Take Steps Towards Compliance to Protect Your Business

Having read this article, we hope you have a better idea of CMMC Compliance for DoD subcontractors.

While you may already implement basic cyber hygiene, the new CMMC framework is about to change how you interact with DoD contracts.

Seeking compliance should be a priority for subcontractors that hope to apply for more work with sensitive government information.

The process may take some time, and there are still many uncertainties along the way. That’s why it’s essential to get started on compliance as soon as possible.

Consulting a CMMC compliance expert can help you get certified to the right level without wasting precious time or resources. GlacisTech provides CMMC remediation and managed security services for smaller DoD subcontractors to help manage your CMMC compliance journey effectively and affordably.

Get in touch today to discuss a gap analysis of your current cybersecurity practices and learn more about the services we offer.


Learn more about CMMC:

What is CMMC

CMMC Compliance Remediation

CMMC Glossary


About GlacisTech

GlacisTech is a managed service provider (MSP) and managed security solution provider (MSSP) for small to medium-size businesses in the Dallas and North Texas region. GlacisTech helps businesses grow by providing innovative, state-of-the-art IT solutions that allow its customers to reduce network downtime, increase operational efficiencies, and cost-effectively scale their IT to meet the demands of their growing businesses.

GlacisTech’s suite of Worry-Free IT services includes managed IT, cybersecurity, virtual CIO, managed compliance & remediation, and cloud services.

Glacis Technologies, Inc

1130 East Arapaho, Suite 184
Richardson, TX 75081
24/7 Customer Support 469-522-2022

GlacisTech | Managed IT Service Provider | Dallas TX