For years, DoD officials had been raising alarms about data breaches of defense contractors. Their complaints largely fell on deaf ears—implementation of security measures was spotty, documentation was often poor or non-existent, and workarounds for cybersecurity challenges were common.

Enter CMMC. First rolled out in 2020, the initial version of the program faced major challenges. The framework was ambiguous, the requirements weren’t clear, and self-assessment was the primary compliance method. This essentially meant contractors were grading their own work with little oversight. 

CMMC 2.0, finalized in 2024, and being phased into contracts through 2026, changes that approach completely. The certification program essentially states: "You want to do business with us? Cool. Now show us you're serious about security, and there are some specific ways we expect you to do that." This includes documented, implemented, third-party verified processes and security controls specific to each level of the CMMC model. No more pinky promises allowed.

CMMC applies to any company in the Defense Industrial Base (DIB) that processes FCI or CUI. This can include prime contractors, all tiers of subcontractors, and service providers that offer their services to DIB contractors. In other words, if your business relies on revenue from DIB contracts, you need to either get compliant or get out of the DIB.

At its core, the framework is meant to safeguard two types of data:

Federal contract information (FCI)

FCI is information that the government provides or generates under a contract action, but is not intended for public release. Examples include bid proposals, contract terms and conditions, and the like. All the categories of government data you wouldn’t post on LinkedIn.

Controlled Unclassified Information (CUI)

CUI is where things get a bit more serious. CUI includes technical data and other information that needs safeguarding or dissemination controls, or follows other restrictions on access or use. Examples include export-controlled information and sensitive-but-unclassified data that could cause serious damage to national security if made public.

CMMC maps its security controls to three maturity levels that align with the National Institute of Standards and Technology Special Publication 800-171, or NIST 800-171, the federal standard for protecting CUI. The CMMC program takes those 110 NIST 800-171 controls and structures them into tiers.

CMMC maturity involves three tiers. Each one adds a greater number of controls and increased rigor to align with the sensitivity of the information.

CMMC level 1: Foundational

Level 1 represents the foundational cyber hygiene practices that you should already be following if you're working with DoD contractors, even if you're not actively working on a defense contract. This includes:

• Passwords and access controls

• Multi-factor authentication (MFA)

• Basic data access restrictions

The 17 practices in Level 1 are all about safeguarding FCI. The good news is that at this level, you can self-attest compliance annually. The bar is low here, but it’s still a bar.

CMMC level 2: Advanced

Level 2 is where most defense contractors will land. It’s Level 1 plus 93 more boxes to check from NIST 800-171. These controls are all about securing CUI and include:

• Enhanced access controls and identity management

• Security monitoring and incident response

• Improved physical security

• Documented security plans and processes

At Level 2, a third party will actually check your homework, assessing you every three years through a CMMC Third-Party Assessor Organization, or C3PAO. This assessment is a deep dive to confirm that a contractor effectively implements and documents all 110 security controls derived from NIST SP 800-171. These controls are mandatory for protecting CUI. 

The C3PAO’s role is to verify your policies, procedures, and technical evidence, making sure your organization has achieved the required maturity level and that CUI is secured against unauthorized access or loss. This often means using cloud solutions equivalent to FedRAMP Moderate and mandates FIPS 140-2 validated encryption for CUI at rest and in transit. 

CMMC level 3: Expert

Level 3 is the top tier of CMMC and is intended for contractors that work with the most sensitive and highest impact CUI. In addition to all of the Level 2 practices, Level 3 includes additional enhanced practices (110+ total practices) that require "expert implementation." This includes:

• Advanced threat detection and response, including proactive threat hunting

• Defense against Advanced Persistent Threats (APTs): adversaries with sophisticated cyber expertise

• Standardized processes and capabilities like monitoring, scanning, and data forensics

To get CMMC certified, organizations have to commit to processes that demonstrate security documentation, actual implementation, and proof that they're doing what they say they're doing. 

Conduct a gap analysis

A gap analysis shows you where your company stands in relation to the required CMMC controls. This review compares your current processes, controls, and documentation to requirements, determining where you fall short.

Implement required security controls

After the gap analysis, it's time to roll up your sleeves and do some work to address the problem areas. This means writing policy, implementing, and documenting technical controls, administrative procedures, and physical security measures. Depending on where you start, this may include:

• Security tools that are either FEDRAMP or that can prove their out of scope for gathering CUI: 

• See Huntress Sensitive Data Mode that applies to the entire Huntress Platform 

• Network segmentation to isolate sensitive data

• Formal incident response plans

Maintain continuous evidence

CMMC doesn't stop after the assessment. You need ongoing evidence that security controls remain effective through log reviews, security monitoring, vulnerability scanning, policy reviews, and training records.

The NIST 800-171 standard is a set of security controls, requirements, and procedures you need to follow to protect CUI. CMMC is a certification program that assesses the maturity of your organization's cybersecurity practices based on the type of work you do with the DoD. It uses the security controls in NIST 800-171 at Level 2 and incorporates a formal assessment to verify that you're following the standards.

Or put another way: NIST defines the rules. CMMC makes sure you're actually following them and gives you a grade on your efforts.

Sort of, though in government speak, that basically means ignore it at your peril. The DoD will phase CMMC into contracts by 2026. Once that happens, contractors will need to achieve the appropriate CMMC level for each contract. In other words, no certification, no contract. No contract, no defense work. No defense work, well… you know where this is going. 

CMMC compliance can be a confusing and time-intensive process for all involved. The Huntress platform is a combination of tools and 24/7 monitoring. Unlike MDRs or third-party SaaS companies, Huntress owns its own tech stack, which allowed them to create Sensitive Data Mode. When enabled, no Huntress SOC analyst can pull or view any file that potentially contains FCI or CUI. Using the Huntress platform helps you achieve 37/110 controls out of the box, including security expert management. And unlike many other security tools, there’s no upcharge for Sensitive Data Mode and no FEDRAMP environment necessary, allowing you to meet many CMMC requirements without hiring a full cybersecurity team or paying exorbitant costs of third-party MDR on top of a FedRAMP EDR, ITDR, or SIEM instance. For more guidance, see our CMMC Compliance page.

From Managed Endpoint Detection and Response (EDR) to identity threat detection, Security Information and Event Monitoring (SIEM), Security Awareness Training (SAT), and 24/7 SOC monitoring, the Huntress platform gets you further, faster, and more affordably. Our solutions build the evidence trail and maintain the ongoing monitoring needed to make the assessment process seamless and less stressful.

Get a demo to see how Huntress can help you achieve and maintain CMMC compliance.