Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is CMMC Compliance? Introduction and Checklist

What is CMMC Compliance?

On the 1st of October, 2025, the Cybersecurity Maturity Model Certification (CMMC) will come into effect. CMMC is a cybersecurity framework that is being developed by The United States Department of Defense (DoD).

What is CMMC Compliance?

The purpose of CMMC is to standardize cybersecurity practices across the federal government’s defense industrial base (DIB), and to ensure that organizations who handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) are able to adequately safeguard the data.

This includes any contactors or subcontractors that work directly with the DoD. A “Maturity Model” is a way of measuring the maturity of an organization’s security posture, with respect to the best practices outlined by CMMC. CMMC builds upon existing cybersecurity standards such as NIST, FAR, and DFARS.

Why Does CMMC Matter?

China has long been accused of stealing US defense technology, or at least stealing the ideas to build their own “copycat” versions of their technology.

One notable example relates to the Chinese J-31 fighter jet, which was allegedly a copy of America’s F-35 fighter jet. Many believe that the J-31 was based on unclassified data stolen from U.S. defense contractors.

From America’s standpoint, it is crucially important that they maintain their military superiority, which, in context of cybersecurity, means doing everything they can to prevent their defence secrets falling into the wrong hands.

Were they not doing this before?

Well, sort of. They were using the NIST framework for managing their security controls. However, the DoD discovered that the lack of certification meant that companies were performing self-assessments, which didn’t provide any guarantees that the security controls they had in place met the required standards. Not only that, but self-assessments are not applied consistently across organizations.

What Data is Covered by CMMC?

CMMC covers two types of data: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

In simple terms, CUI is any information that doesn’t meet the standards for National Security Classification but is in the national interests of the United States Government and should thus be safeguarded from unauthorized access and dissemination.

CUI is typically used by non-federal service providers to perform a wide range of business functions that would not be typically suited for government agencies but are beneficial to the Government none-the-less.

FCI, on the other hand, is information that is provided by or generated for the Government under a contract and should not be disclosed to the public.

What are the 5 Maturity Levels of CMMC?

CMMC relies on maturity levels to assess the progress of an organization’s security posture. As opposed to expecting organizations to implement all the CMMC’s controls at once, they are allowed to implement them gradually. The 5 levels of maturity are as follows:

Maturity Level 1: Basic Cyber Hygiene

Level 1 focuses on safeguarding Federal Contact Information (FCI), which includes limiting access and dissemination to authorized users only and ensures that FCI is properly sanitized and destroyed when no longer required. There are a total of 17 practices that organization must meet to achieve level 1 maturity.

Maturity Level 2: Intermediate Cyber Hygiene

Level 2 focuses on preparing to protect Controlled Unclassified Information (CUI). To achieve Level 2 maturity, organizations will need to meet an additional 55 practices, which must be performed and documented.

Maturity Level 3: Good Cyber Hygiene

Level 3 is about establishing cybersecurity safeguards for CUI and introduces an additional 58 practices. Vendors are required to document the practices from the previous levels, as well as demonstrate that they have a plan in place to keep CUI secure.

Maturity Level 4: Proactive

Lever 4 is about protecting CUI and preparing for Advanced Persistent Threats (APT). Contractors will be required to review and measure all their practices and establish procedures for identifying and responding to advanced persistent threats. Organizations will need to review and measure their policies and procedures and share their findings with upper-level management. Level 4 introduces a total of 24 additional practices.

Maturity Level 5: Advanced / Progressive

All practices from previous levels will need to be performed, documented, managed, reviewed, and optimized. Level 5 introduces additional 15 practices, bringing the total number of practices up to 173.

CMMC Compliance Checklist

While a comprehensive breakdown of the CMMC compliance requirements is beyond the scope of this article, below is a simple checklist that will help you prepare for the certification process.

  • Conduct a readiness assessment and gap analysis: It’s a good idea to base your analysis on the NIST 800-171, as this will help to prepare you for Level 3.
  • Implement a real-time threat detection solution: You must be able to detect, respond and report on potential security incidents, as and when they occur.
  • Develop a System Security Plan (SSP): An SSP documents that security controls that relate to CUI, and is a requirement for CMMC compliance.
  • Stay up to date: Make sure that you keep a close eye on the latest CMMC compliance news, including any potential changes to the timeline.
  • Communicate with your subcontractors: Ensure that your subcontractors and suppliers are able to comply with CMMC. If they are not, be willing to offer them some assistance in order to minimize any potential disruption further down the line.
  • Evaluate the in-house resources that are available to you: Make sure that your cybersecurity personnel have the expertise required to comply with CMMC. If they don’t, perhaps reach out to a third-party service provider for assistance.

How to Get CMMC Certified

Unlike with the NIST framework, companies are not allowed to self-certify under the CMMC. Instead, they must be certified by a third-party assessment organization (C3PAO) or a credited individual assessor to achieve compliance. C3PAOs will provide advisory services, schedule the assessments and present the results to the CMMC-Accreditation Body (AB), who will provide the certificate if successful. Organizations can get certified for whatever level they choose. Once certified, knowledge of the certification will be made public, although the specific findings, including certification failures, will be kept private.

How Can Lepide help with CMMC certification?

As with any data security strategy, visibility is key. It is imperative that you know exactly what data you have, where it is located, and how it is being treated. A good starting point would be to discover and classify all of the sensitive data you have. Lepide Data Security Platform provides a built-in data classification tool, which can be customized to meet the requirements of a wide range of data protection regulations, including CMMC.

Using Lepide you can carry out automated risk assessments, identify anomalies in user behavior and even automate a response to shut down the threats as they happen. You will have access to a wide range of pre-defined compliance reports, including reports that are specifically designed to satisfy the compliance requirements of CMMC. Lepide Data Security Platform also provides visibility over a wide range of cloud-based platforms, including Amazon S3, DropBox, OneDrive, and more.

If you’d like to see the Lepide CMMC compliance solution, schedule a demo with one of our engineers.