Last Updated on July 4, 2024
The US Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) program as a framework to assess and validate the cybersecurity capabilities of its supply chain partners. Many organizations that want to participate in DoD contracts will need to demonstrate compliance with the CMMC requirements so they can achieve CMMC certification.
In this context, the concepts of CMMC certification versus CMMC compliance are closely related but mean different things, which can be confusing. This article explains both terms, how they relate, and whether your company needs to align with one or both.
What do the terms certification vs compliance mean in cybersecurity?
Within cybersecurity and in other fields (e.g., quality management), a certification is the process of awarding an entity with a certificate or other official document that designates or verifies their compliance with the specific requirements of a standard or framework.
Certifications often involve rigorous scrutiny by an accredited third-party auditor, which enhances the associated level of stakeholder trust and hence the business value of the certification. For example, an organization that passes a third-party certification audit against the ISO 27001 cybersecurity standard receives an ISO 27001 certificate.
Other cybersecurity related standards that offer certifications include ISO 27701 for data privacy, ISO 22301 for business continuity management, and HITRUST for safeguarding healthcare records and other sensitive data.
With some other cybersecurity frameworks, notably FedRAMP, a successful assessment process leads not to a certification but to an authorization (i.e., the coveted Authority to Operate) for a cloud service provider to do business with US government agencies.
But for many other cybersecurity standards, such as NIST 800-53, NIST 800-171, and SOC 2, there is no certification process or certificate. Instead, an associated third-party audit or internal self-assessment process simply validates compliance—that is, being aligned with or adhering to a standard’s requirements.
In the case of SOC 2, an organization undergoes a comprehensive third-party assessment with an accredited CPA firm. The auditor documents the assessment results in a detailed report that attests to the organization’s compliance with SOC 2 requirements.
With NIST 800-171, the foundation for CMMC control requirements to protect controlled unclassified information (CUI), the only option for compliance attestation is through a self-assessment and compliance scoring process administered by the DoD. Self-attested compliance, even with an executive affidavit, is not as trustworthy as a certification, audit report, or other third-party attestation—hence the need for CMMC in the first place.
What are the CMMC assessment requirements?
With CMMC 2.0, the DoD implemented tiered assessment requirements based on the sensitivity of contract related data:
- Contractors that do not handle data deemed critical to national security can perform annual self-assessments to validate that they meet CMMC contract requirements. However, these organizations will not receive a CMMC certification. This applies to organizations seeking CMMC Level 1 and a subset of those seeking CMMC Level 2.
- Contractors that handle sensitive data deemed critical to national security will need to pass a CMMC Level 2 assessment with a certified third-party assessment organization (C3PAO). These organizations will receive a CMMC certification, good for three years.
- Contractors participating in the highest-priority defense programs will need to pass a CMMC Level 3 assessment led by a US government auditor. These organizations will receive a CMMC certification.
CMMC requires contractors to conduct self-assessments annually. Along with each yearly self-assessment, a senior company official must affirm that the company is fully meeting CMMC requirements and not just “checking the boxes.” Companies will need to register self-assessments and affirmations in the DoD’s Supplier Performance Risk System (SPRS) database.
Once CMMC is implemented, companies that require a CMMC Level 2 certification will need to work with a C3PAO to plan and perform the assessment and grant the certification. The C3PAO will also create an assessment report, which the DoD can access.
What is CMMC compliance vs certification and which is right for our business?
Achieving CMMC compliance is a precursor to CMMC certification. While CMMC certification involves a formal audit and recognition by a C3PAO as explained above, compliance refers to aligning with the CMMC controls, practices, and processes without necessarily undergoing formal certification.
Which is right for your business, CMMC compliance or CMMC certification? That depends on your business goals, stakeholder demands, and DoD contract language.
To reiterate, the level of attestation the DoD requires depends on the sensitivity of the information involved in the contract. For example:
- A subcontractor handling CUI from a prime contractor may need a C3PAO-led CMMC assessment leading to CMMC Level 2 certification per flowdown requirements from the prime.
- A government staffing agency or other service provider that does not allow CUI to transit its systems might need only self-attested compliance with CMMC Level 1.
- A manufacturer working on advanced weapons systems and handling highly sensitive technical data might need a DoD-led CMMC assessment leading to CMMC Level 3 certification.
Can you participate in a DoD contract without being CMMC certified? Yes, but “it depends” on the nature of the contract. The goal of CMMC certification at the appropriate level will be a safer bet for many defense suppliers that consider DoD contract participation a critical part of their business model.
Should we self-attest to CMMC compliance even if it is not yet required?
Companies that wish to assert their alignment with CMMC controls and requirements ahead of the CMMC implementation timeline are free to do so—with or without third-party validation.
This approach is well suited to businesses that do not currently handle CUI or federal contract information (FCI) but want to demonstrate a best-practice cybersecurity posture. They can assert compliance on their own or engage a third-party to attest to compliance on their behalf.
Self-attestation to CMMC compliance can also be valuable to leading defense suppliers seeking a competitive edge by declaring their readiness to participate in DoD contracts with CMMC requirements now. This could include partnering with prime contractors that may mandate CMMC compliance well ahead of the CMMC rollout timeline.
The DoD makes self-assessment guides available and recommends that organizations planning to self-attest to CMMC compliance utilize this guidance. Many other third-party tools and templates are also available online and from service providers. These resources may help reduce the time, effort, and cost required to validate compliance.
Why is CMMC compliance vs certification important?
For companies that are not yet ready or required to undergo a CMMC Level 2 assessment with a C3PAO leading to certification, achieving and maintaining self-attested CMMC compliance can be a key preparatory stage on their CMMC certification timeline.
Self-attestation can reassure stakeholders of a company’s commitment to protecting sensitive customer data, while ensuring that the path to CMMC certification will be predictable and smooth when/if that step is required. In addition, the process of attaining CMMC compliance enables a business to eliminate vulnerabilities, improve control operation, and strengthen its overall cybersecurity posture, thus reducing associated risks such as data breaches, data loss, and other cyber incidents.
Since self-attestation of CMMC compliance must be renewed annually for suppliers working on DoD contracts, the ongoing process of maintaining continuous CMMC compliance becomes critical. This requires continuous monitoring of cybersecurity KPIs as well as regular internal audits. These activities help ensure that your cybersecurity program is evolving and improving to counter ever-changing risks and threats.
What’s next?
Aiming for CMMC certification versus compliance is an important strategic decision and investment that requires an understanding of the CMMC 2.0 program, requirements, and timeline. Achieving either choice also entails the ability to accurately assess your current cybersecurity controls and judge how well they fit with CMMC.
For over 20 years, CBIZ Pivot Point Security has specialized in helping our clients efficiently achieve and maintain compliance and certification with comprehensive cybersecurity frameworks like CMMC. Contact us to connect with a CMMC expert about your business goals.