Defense contractors and small businesses that support them are being increasingly targeted by ransomware, phishing, and other forms of cyberattacks as bad actors and even nation-states seek to steal sensitive information.
The Cybersecurity Maturity Model Certification (CMMC), now in version 2.0, is how the government is taking steps to ensure its contractors protect sensitive information from these cyber threats. Compliance with this framework isn’t optional. It’s now a key requirement for winning and holding DoD contracts.
For small businesses that often lack dedicated IT teams, it’s easy to underestimate the complexity of compliance.
ITque, a managed cybersecurity and IT solutions provider for small and midsized businesses, can help you get ready for certification with our CMMC 2.0 compliance checklist.
What is CMMC Compliance?
The Cybersecurity Maturity Model Certification (CMMC) is a set of requirements that the United States Department of Defense (DoD) has created to establish baselines in cybersecurity for defense contractors and businesses that support them.
CMMC compliance is focused on ensuring that organizations operating within the Defense Industrial Base (DIB) have systems in place that protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What exactly are FCI and CUI? These are two forms of sensitive government-related, non-public information that may be created, received, transmitted, or stored by government contractors and subcontractors.
FCI is data that is generated for the government as part of a contract. Things like pricing data, delivery addresses, and project names are common examples of FCI.
CUI is a bit more broad. Data that is unclassified, yet still considered sensitive and necessary to safeguard, is considered CUI. Examples range from things like weapons systems schematics to source code and military building plans.
The framework also places an emphasis on protecting defense supply chain systems and data, as well as national security-related intellectual property.
Each of these types of information may seem somewhat mundane, but they can become valuable targets for cyberattackers. That’s why the DoD is pushing to make CMMC compliance mandatory for doing business with them.
CMMC Certification Levels
The CMMC is currently using version 2.0, which is a streamlined version of the original model. Under CMMC 2.0, there are three levels of certification: foundational, advanced, and expert.
Level 1: Foundational
This is the most basic level of cybersecurity that every business or entity that works with the DoD or is aligned with a company that works with them must have. It includes a set of 15 “cyber hygiene” security practices that are largely focused on protecting FCI. Achieving and maintaining Level 1 compliance requires an annual self-assessment.
Level 2: Advanced
For organizations that handle more sensitive information, there’s Level 2. This level is focused on protecting CUI, and closely follows the 110 security controls of the existing NIST SP 800-171 security standard. Some contractors may be able to achieve Level 2 compliance with an annual self-assessment, while others may require a third-party assessment every three years. Most defense contractors will require this level of CMMC compliance.
Level 3: Expert
Contractors involved with highly sensitive DoD programs will likely require Level 3 CMMC compliance. This level requires compliance with the previous two levels, as well as additional security controls based on NIST SP 800-172. Level 3 requires a government-led assessment and cannot be self-assessed.
Why CMMC Certification Matters
The DoD has already begun phasing in CMMC requirements. Contractors are increasingly required to have CMMC Level 1 and 2 compliance to retain their contracts or bid on new ones. The implementation of CMMC is only going to expand in the coming years.
That means CMMC compliance is no longer a “nice to have” security convenience. It’s becoming a strict requirement for contracts.
But it’s not just about business. The real value of CMMC certification is threat reduction.
Small businesses and subcontractors are often targeted by attackers because insufficient security protocols offer an easier entry point into larger defense supply chains. Ransomware, phishing, and intellectual property theft attacks all commonly target organizations tied to the government. Requiring CMMC compliance from all vendors and partners ensures a baseline of acceptable security practices, and reduces vulnerabilities.
CMMC certification also helps organizations build trust with their partners and other clients. Compliance shows that a company takes cybersecurity seriously, and expands opportunities for new contracts, not just with the government.
Organizations that fail to meet compliance standards face the potential for legal exposure, as well as the reputational damage that comes with suffering a data breach or cyberattack.
All of that makes CMMC compliance and certification a major priority for any organization within the DIB.
The Core CMMC 2.0 Compliance Checklist for Small Businesses
This CMMC 2.0 compliance checklist for small businesses will help your organization prepare for CMMC certification self-assessments or C3PAO (Certified Third-Party Assessor Organization) assessment.
Our CMMC checklist steps are broken down into six distinct phases:
Phase 1: Scope and Gap Assessment
Preparation begins by understanding scope. You need to determine what level of CMMC certification your contract requires, and whether it requires handling of FCI or CUI.
Internally, your organization needs to be aware of what systems are handling sensitive information. Document the users, devices, and applications (including cloud services) that are tied to these systems.
Conducting a gap assessment will compare your current controls against CMMC level requirements. It also identifies what’s missing from your technologies, procedures, and policies, and prioritizes closing the highest-risk gaps.
Phase 2: Build Documentation and Governance
Documentation is quietly one of the most difficult parts of certification. Developing a System Security Plan (SSP) helps by creating a blueprint for how you handle security. Document systems like access control, password management, incident response, and data retention proves to auditors that your systems are actually in place.
A Plan of Action and Milestones (POA&M) is also helpful to document and correct security gaps. It provides transparency between an organization and the DoD that any known security gaps are actively being resolved.
Phase 3: Implement & Strengthen Security Controls
Implementing technical controls is the most crucial part of your CMMC compliance checklist.
You need controls that limit who can access systems based on their roles. Inactive users must be removed. Multi-factor authentication (MFA) needs to be implemented to protect account email and admin access for remote workers and cloud applications.
Organizations should deploy endpoint detection and response (EDR) tools. Full-disk encryption for laptops, tablets, smartphones and other company devices, as well as centralized patch management, are a must.
Wireless networks need WPA3 encryption, and firewalls should be properly configured. Sensitive systems should be segmented from general business networks.
Security logs from endpoints, servers, and cloud platforms should be centralized and retained to support audit readiness and incident detection.
Phase 4: Build Operational Security Processes
Incident response plans should be well documented, with exercises performed so that team members know what to do when a threat is identified. Backup and recovery plans should be made and tested. Even third parties who work with your organization should have their security practices reviewed. In the eyes of the DoD, their failure is your failure.
Phase 5: Employee Training and Awareness
Human error is one of the leading causes of cybersecurity incidents. Employee training sessions shouldn’t be limited just to certification efforts. Regular training sessions help employees stay on top of their responsibilities in cybersecurity.
Employees should be trained on cybersecurity threats like phishing attacks and ransomware, as well as password security, safe browsing, and how to safely handle CUI.
Phase 6: Final Preparation for Assessment & Certification
Before conducting an official self-assessment or C3PAO, take the time to perform an internal mock audit or readiness review. This will validate that your controls are working and that documentation is complete and organized. It will also help identify any remaining weaknesses or oversights.
Collect all your compliance evidence including policies, training logs, documentation, audit reports, and risk assessments, and keep them ready for the actual assessment.
How ITque Helps Businesses Achieve CMMC Compliance
Some organizations are more prepared for CMMC certification than others. If you already are compliant with NIST 800-171, you likely have a leg up on the process.
However, CMMC certification is not a one-size-fits-all proposition. Control requirements vary from contract to contract, along with the type of information the contractor handles. That leads many SMBs to underestimate the scope of CMMC compliance.
We often see clients make the mistake of assuming that basic antivirus programs or Microsoft 365 defaults are compliant. They are not.
Vendor and subcontractor security risks are often overlooked. Allowing employees to access CUI on their personal devices is another common compliance violation. These are all crucial mistakes that cause companies to fail an audit or violate compliance requirements.
But with limited internal IT resources, it can be extremely difficult for small businesses to put in place the necessary systems to gain compliance.
ITque can help you get there.
Our managed IT services help organizations identify security gaps, strengthen technical controls, and support CMMC compliance efforts. We support organizations with documentation, continuous monitoring, security maintenance, and recurring training for your team members.
By choosing to work with ITque, you gain an experienced and reliable partner to help you throughout the certification process and ongoing management.
ITque: Managed Cybersecurity for Defense Contractors and Small Businesses
For defense contractors and small businesses that support their work with the Department of Defense, the time for CMMC certification is now. CMMC compliance is now a requirement of many defense contracts, and compliance requirements will only increase in the next few years.
Becoming compliant now ensures that you won’t miss out on future opportunities because your cybersecurity efforts failed to meet the evolving standards. ITque can help you prepare for certification, as well as manage your ongoing cybersecurity and IT systems so you can stay compliant.
Contact ITque today to speak with our team about our managed cybersecurity programs and let us help you prepare for CMMC certification.
