CMMC 2.0 compliance is by no means simple, but it's essential for organizations in the defense industrial base who are entrusted with controlled unclassified information (CUI) as part of their work with the U.S. federal government.
Discussions and debates about CMMC (Cybersecurity Maturity Model Certification) have echoed through the defense community for several years now, as the CMMC standard itself has evolved, and the implementation timeline has slowly crept forward. But, now, CMMC 2.0 enforcement is imminent.
The DoD expects to begin including CMMC compliance in certain defense contracts in early 2025, when the Title 48 (DFARS) Rule is published.
The DoD issued the CMMC Final Rule (32 CFR Part 170) in October 2024. Title 32 is now final, establishing the CMMC program and its ecosystem. It defines cybersecurity standards, levels, and assessment requirements.
The last piece of the CMMC puzzle is Title 48 (also known as the DFARS Rule), which allows CMMC to be enforced in DoD contracts. This is expected to take effect in early 2025 and adds the DFARS 252.204-7021 clause to DoD contracts. With this rule, contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.
Defense organizations need to start addressing CMMC 2.0 controls now in order to demonstrate cybersecurity compliance and secure future government contracts.
Want to fast-forward to how Virtru can help you meet 27 of the 110+ security controls? Click here to skip straight to the good part. If you want more CMMC context and DoD resources, read on.
CMMC stands for the Cybersecurity Maturity Model Certification program. CMMC is defined as a set of data protection standards established by the U.S. Department of Defense to ensure the protection of controlled unclassified information (CUI) by defense contractors.
Put simply, CMMC is a set of rigorous security standards that defense contractors must meet in order to do business with the federal government moving forward. At the time of writing, it is in the rulemaking phase and not yet being enforced, but that time is quickly approaching.
The DoD has established CMMC as a robust set of cybersecurity requirements to ensure that, if a private organization does business with the federal government, and handles CUI as part of that work, that organization needs to demonstrate that it can be trusted with that data. CMMC compliance demonstrates tight security protocols for protecting sensitive information across its life cycle.
The 3 levels of CMMC are increasingly progressive, with 1 being the most basic, and 3 being the most heavily regulated. According to the DoD CIO CMMC Assessment guide, Level 1 and a subset of Level 2 generally apply to contractors who do not handle information deemed critical to national security, and can therefore perform annual self-assessments against a clear set of cybersecurity standards, attesting to the DoD that these requirements have been satisfied.
Organizations that will be handling information deemed critical to national security will need to undergo third-party assessments. This includes many Level 2 contractors.
Level 3 represents the highest-priority, most critical defense programs that require government-led assessments to ensure proper handling of highly sensitive defense information for national security.
CMMC Level 1 is the most basic and foundational level of CMMC compliance. For those tracking the evolution of the CMMC standard, CMMC 2.0 Level 1 is consistent with the guidelines originally set out in CMMC 1.0 Level 1, and is designed to be simpler for small organizations to meet, particularly if those organizations are not going to be managing information critical to national security. Level 1 does still require an annual self-assessment and an affirmation by the organization's executive leaders that attests the requirements are being met.
Recommended Reading: DoD CMMC Level 1 Self-Assessment Guide.
Level 2 is designed to protect information critical to national security, so it understandably represents a leap forward in terms of both effort and security requirements, encompassing 110 controls, aligned with NIST SP 800-171. It requires a third-party assessment every three years and an annual affirmation. Select programs require a self-assessment every three years and annual affirmation.
Recommended Reading: DoD CMMC Level 2 Self-Assessment Guide.
CMMC Level 3 represents the highest and most robust set of cybersecurity requirements, aligning with NIST SP 800-171 and 172. It also requires government led-assessments every three years as well as an annual affirmation.
Recommended Reading: The CMMC Level 3 Self-Assessment Guide is still under development at the time of writing, but you can access all available documentation on the DoD CMMC Documentation website.
On a journey so long and complex as CMMC compliance, you need partners who can help you advance your program's maturity, as quickly and easily as possible.
Just ask our CMMC customers like Rise8, Exxelia, a global engineering firm, a global energy innovator, and a manufacturing company who use Virtru to support compliance with CMMC, DFARS, and ITAR in both Google Workspace and Microsoft Outlook using client-side encryption and granular access controls. With the Virtru Private Keystore, they can also maintain complete control of their own encryption keys for maximum data ownership that shields data from cloud providers.
Virtru addresses nearly a quarter of the 110+ total CMMC controls. Our CMMC 2.0 Data Security Checklist provides a detailed breakdown of the 27 controls where Virtru can support your CMMC compliance efforts.
It's also important to note that the Virtru Data Security Platform is FIPS 140-2 Certified and FedRAMP Authorized at the Moderate level — so our data-centric security solutions allow you to confidently protect and share sensitive information in a manner that aligns with CMMC.
Organizations that use Virtru are met with a seamless user experience that doesn't hold them back from collaborating and innovating. One of our customers, the Air Force Research Laboratory, uses Virtru for this exact reason. Here's what Dr. Dan Berrigan said about using Virtru for highly secure communications via Google Workspace:
“We’ve ensured our tech stack facilitates the seamless exchange of ideas, accelerating our maturation cycles and the pace of innovation that AFRL must operate at,” says Berrigan. “When it comes to communicating with third-party partners, we believe frictionless collaboration holds the same level of importance as privacy, security, and compliance with governance controls... AFRL invests in its collaboration tool stack by using the Google Workspace suite to foster that simple, easy-to-use collaboration, along with Virtru’s client-side and server-side data protection to provide additional layers of security for sensitive information.”
Ready to learn more about Virtru's CMMC-supporting data security solutions? Contact our team to start the conversation. If you want to dive deeper, read on.
Because data-centric security and access control are both central to a strong CMMC compliance strategy, Virtru has been engaged with our customers and industry cyber leaders for years on this topic. Here are some of the resources we have created to help DoD contractors navigate this evolving landscape.
This webinar, featuring Zach Walker of ATX Defense, breaks down some of the complexities of CMMC compliance for fellow defense contractors, particularly when it comes to collaborating in Google Workspace or Microsoft 365.
While many organizations assume they must remain on Microsoft to meet CMMC compliance, Google’s cloud can provide a more cost-effective and secure foundation – bolstered by third-party tools like Virtru – for maintaining the confidentiality and integrity of CUI and other sensitive data.
This CMMC Checklist charts the 27 out of 110+ areas of CMMC that Virtru can support for your organization, across multiple practice areas.
In this Virtru Voice of the Customer CMMC webinar, experts from Coalfire Federal, Summit Federal Services, and Chertoff Group share their insights on what goes into a CMMC maturation journey. Their experience on the front lines is invaluable for anyone seeking to bolster cybersecurity for national defense.
You can also check out our recap: Defense Experts Help Chart the Path for CMMC 2.0.
This one-page CMMC collaboration overview breaks down how Virtru can help support CMMC 2.0 compliance with easy-to-deploy, easy-to-use client-side encryption for your everyday business workflows.
In this CMMC podcast episode, Virtru's CMO, Matt Howard, and VP of Sales, Andrew Lynch, discuss what they're hearing from Virtru customers pursuing CMMC 2.0 compliance.
CMMC 2.0 will likely begin to roll out in defense contracts starting in early 2025. CMMC compliance will be required for federal contractors in phases for the next several years as contracts are continually established and renewed. The CMMC 2.0 Final Rule is now published, and for the latest CMMC program updates, you can see the DOD CIO website for CMMC.
When is CMMC compliance required?
CMMC compliance will soon be required for defense organizations working on DoD contracts that involve sensitive CUI (controlled, unclassified information). CMMC ensures that highly sensitive information is properly handled and protected.
The required CMMC level will vary depending on the scope of the project: When CMMC is formally rolled out, the required level will be noted in the RFI (Request for Information) on each contract.
CMMC and NIST SP 800-171 are two separate sets of data protection standards that are aligned, but not identical. CMMC was established by the DoD, and NIST standards are designed for organizations
No, but they are similar. Like CMMC, DFARS 7012 is rooted in NIST 800-171 standards, and it is designed to protect CUI. CMMC goes further, encompassing all of the DFARS rules and building upon them for DoD contractors.
What are the 110 CMMC Requirements?
The requirements of CMMC Level 2 can be found in the DoD CMMC Level 2 Assessment Guide. These 110 CMMC controls cover multiple areas, including:
The costs of CMMC depend on the level you aim to achieve, and can vary depending on the vendors and partners you select. The DoD will publish CMMC cost estimates alongside the final rule when it is established, but it does estimate that CMMC level 1 (and a subset of level 2) will be more affordable, as they do not require a third-party assessment. Costs, understandably, increase with the CMMC levels as more protections need to be put in place.
With that said, you can spend a lot on CMMC — especially with expensive software like Microsoft GCC High. But, there are ways to put more affordable protections in place without breaking the bank. As we referenced above, the Virtru Data Security Platform can help you address nearly 1/4 of the 110 CMMC Level 2 requirements, giving you a head start on your CMMC readiness posture.
CMMC no longer has 5 levels: With CMMC 2.0, the DoD has streamlined the 5 levels down to 3 (as levels 2 and 4 in the CMMC 1.0 framework essentially served as transitional levels).
CMMC 1.0 was the first version of CMMC. Upon receiving public comments around the framework's complexity, the DoD introduced CMMC 2.0 as a streamlined version of the standard that reduces that complexity and brings greater clarity to the requirements for each level.
Recommended Reading: CMMC 2.0: What Changed, and What Are Your Action Items?
If you're ready to start checking CMMC controls off your list, get in touch with Virtru: We provide powerful, data-centric security and fine-grained access controls that safeguard sensitive data at every point of its lifecycle. You also have options to manage and host your own encryption keys, on-prem or in a private cloud, or in the location of your choosing.
We'd love to discuss your CMMC strategy and goals with you: Contact our team today to get the ball rolling, and get closer to meeting your CMMC objectives.
Megan is the Director of Brand and Content at Virtru. With a background in journalism and editorial content, she loves telling good stories and making complex subjects approachable. Over the past 15 years, her career has followed her curiosity — from the travel industry, to payments technology, to cybersecurity.
View more posts by Megan LeaderSee Virtru In Action
Sign Up for the Virtru Newsletter
Contact us to learn more about our partnership opportunities.