CMMC Compliance 2021

Who needs to comply?

By 2026, all contractors of the Department of Defense must comply with CMMC (Cybersecurity Maturity Model Certification) except commercial off-the-shelf software providers. This is mandatory for all subcontractors and every supplier the prime contractor works with across their entire supply chain.

Each contract will specify the CMMC level that each contractor must meet, so contractors on the same contract may have different CMMC requirements.

Differences Between CMMC & NIST 800-171

CMMC level 3 is based on NIST 800-171 compliance, which included the cybersecurity standards for Defense Industrial Base (DIB) contractors prior to CMMC.

Contractors must also meet all security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POA&M) for compliance. A POA&M describes the specific measures that a DIB contractor will take to correct the deficiencies discovered during the security assessment.

NOTE! The shift from self-assessments to independent third-party assessments for cybersecurity compliance is one of the most important differences between NIST 800-171 and CMMC.

CMMC Third Party Assessment Organizations (C3PAOs) will now conduct these assessments.

CMMC adds 20 more new security requirements to Level 3 in addition to the 110 requirements already detailed in NIST 800-171. CMMC requires subjects to meet both sets of requirements for good cybersecurity practices.

CMMC and NIST SP 800-171 regulations will coexist until the Department of Defense completes the CMMC roll-out. The number of DoD contractors subject to CMMC will increase over the next few years, while the number of defense contractors requiring NIST SP 800-171 compliance will only decrease.

The CMMC Levels

The CMMC level that the Department of Defense requires of its contractors depends mostly on the sensitivity of the data these contractors will have access to.

CMMC Level 1

Level 1 requires companies to perform specified practices that focus on the protection of Federal Contract Information (FCI). So, level 1 only includes practices that meet the basic requirements as stipulated in 48 CFR 52.204-21.

CMMC Level 2

Level 2 practices are also known as intermediate cyber hygiene practices. They consist of a subcategory of the requirements specified by NIST SP 800-171. Level 2 practices focus on protecting controlled unclassified information (CUI).

NOTE! Controlled unclassified information is government owned information that requires protection consistent with applicable laws and regulations.

CMMC Level 3

Level 3 requires the organization to establish and maintain a plan to manage the activities needed to implement cybersecurity good practices. This plan can include information on a variety of specific topics, including goals, missions, projects, training, etc.

The cybersecurity practices at this level are considered good cyber hygiene practices and focus on the protection of CUI. Also, they include all security requirements that NIST SP 800-171 specifies, as well as other 20 security practices added specifically for CMMC level 3 to mitigate threats.

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204 – 7012 adds few extra requirements, as for instance, how to report security incidents and strengthen the supply chain.

CMMC Level 4

Level 4 requires an organization to periodically review the effectiveness of its security practices. It also requires organizations to regularly inform upper management of the status of their information systems.

Level 4 practices are considered proactive and focus on the protection of CUI from advanced persistent threats (APTs). They also include a subset of other requirements from the draft of NIST SP 800-172 and other documents. These practices will only improve an organization’s ability to detect and respond to security threats.

CMMC Level 5

Level 5 certification implies that the contractor meets all level 1 – 4 requirements.

Level 5 requires 171 security controls and helps companies optimize their processes to ensure a standardized implementation across the entire organization. Practices at this level focus on CUI protection from advanced persistent threats. These advanced practices will increase the sophistication and depth of the organization’s cybersecurity capabilities.

CMMC 2.0

On November 4th, 2021, the Department of Defense announced “CMMC 2.0” to maintain the program’s goal of protecting sensitive data, while simplifying the CMMC standard and providing clarity on cybersecurity regulatory, policy, and contracting requirements. The standard will move forward with just 3 levels instead of 5 – foundational, advanced, and expert.

NOTE! CMMC 2.0 will allow all companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) to prove compliance through self-assessments similar to NIST 800-171 requirements. Level 3 (Expert) organizations will be assessed every three years by Defense Industrial Base Cybersecurity Assessment Center (DIBAC) assessors.

CMMC 2.0

Under CMMC 2.0, the level 2 will be divided into Critical to National Security Information and Controlled Unclassified Information. Is not yet clear what companies can perform self-attestation and which ones require a C3PAO. The rulemaking process is still ongoing therefore, CMMC 2.0 will not be enforced right away. Organizations will be required to comply once the forthcoming rules go into effect.

StratusPointIT will provide your organization with guidance to achieve the necessary compliance level. Contact us today for more relevant information.


The Vulnerability Management Lifecycle

The vulnerability management lifecycle is a cybersecurity process that strengthens an organization’s capacity to foresee and react to cyberattacks.

What Is A Cybersecurity Vulnerability?

As far as IT security is concerned, a vulnerability is a weakness or a limitation that enables an attacker to access a system. Three elements must be present for a vulnerability to become a threat.

A system weakness. This is a deficiency within the network or an app. Through this weakness, a hacker is able to inflict harm on a system.

Access to the weakness. A hacker can launch the attack by using a technique or a tool.

The ability to exploit the weakness. The actual damage is inflicted when the cyberattack is conducted.

When all these three factors exist, there is an exploitable vulnerability within the system. When neglected, it is like a time bomb that can cause tremendous damage in the unfortunate event of an attack.

The Pillars Of The Vulnerability Assessment Lifecycle

Vulnerability management is a complex process that takes several steps to succeed. It typically evolves with the growth of the network.

Here are the stages of the process:


It is essential to do an inventory of all the existing assets within the network that will be regularly used in finding vulnerabilities.

After inventorying all the assets, rank their importance to the organization and determine who has access to these resources.

Locate the critical assets and double check the standards and policies for information protection. Therefore, you should assess the business processes, the applications and services, the network infrastructure map, the previous control systems, the information protection processes, etc. Update this consistently to get the full picture of vulnerabilities throughout your system.

Asset Prioritization

Locate the critical assets and classify them to ensure the effectiveness of the prioritization. Prioritize the assets that can generate the most significant risks.

It is essential to categorize these assets according to business units or groups depending on how important they are to business operations.


Accomplish a proper assessment by creating a risk profile for each of your assets.

Vulnerability scans at operating system level, web server level, web application level, etc. must be performed at this phase. Prioritize the vulnerabilities, locate any wrong configuration, and pinpoint human error.

NOTE: Scanning and testing must be thorough and must include all organization assets.


All gathered data must be compiled in a custom report that outlines the prioritized vulnerabilities. It should include step-by-step instructions that must be followed to decrease the security risk that may emerge from these vulnerabilities.

This will serve as recommendation on how to have a prompt and adequate response to any eventual problems.

NOTE: When reporting the vulnerabilities, classify them based on impact levels – low, medium, and high.


Start troubleshooting with the riskiest vulnerabilities. Begin by monitoring them, address the issues causing the vulnerabilities and oversee the situation.

Sometimes, patching your software is enough to address a known vulnerability.

All the network devices must be regularly monitored to keep up with the evolving threats.

NOTE: Controls must be established to express progress. To avoid downtime, check the patches and configuration changes in a test environment before being deployed to production.


Once vulnerabilities have been identified and resolved, there must be regular follow-up audits to ensure they won’t happen again. Also, the success of the process must be reassessed.

Verification is crucial as it limits the exposure of your system to threats, reduces the attack surface, and minimizes the impact of cyberattacks.

Eventually, the verification stage is useful to check if the previous phases have been successfully implemented.

The Importance of the Vulnerability Management Lifecycle

More than ever, organizations rely on their networks and systems for conducting their daily operations, financial transactions, and reputational stability.

A chain is as strong as its weakest link, so a robust vulnerability management program along with a strong cybersecurity plan can protect your organization when the next attack occurs. Therefore, risk mitigation should be prompt and timely to avoid unnecessary expenses and reputational damage.

Regular Patches and Updates

As expected, routine checks for vulnerabilities will lead to frequent updates and patches.

Industry Regulations

Assessing the vulnerabilities will give more awareness about relevant industry regulations that organizations must comply with. It also creates a proactive strategy for risk mitigation.

Defense Against Advanced Threats

A regular vulnerability management program can provide a solid defense against advanced attacks, sealing the vulnerabilities before any exploitation happens.

The Value of Continuity

Consistency and continuity are essential to stay updated on all emerging threats.

Acting proactively is always better than constant remediation, saving resources before they are wasted on late responses.

The Advantage of Prioritization

Prioritizing the assets that can generate the most significant risks is key. This can be achieved by studying the guidelines carefully and clearly understand which vulnerabilities should be remediated first.

Trust the Experts

Unfortunately, threats are constantly evolving. It can be disastrous to leave it up to chance when cybersecurity is at stake.

Our team of experts can provide consistent intelligence towards data, software, applications, and networks to identify, investigate and respond to vulnerabilities.

StratusPointIT can provide expert assistance and recommendations in crafting policies, best practices, and specifications helping your team create a solid vulnerability management program that can withstand the harshest of cybersecurity threats.

New Haven






Vulnerability Scanning & Penetration Testing: Overview

Vulnerability scanning is the act of identifying weaknesses and potential vulnerabilities in network devices, such as firewalls, routers, switches, servers, and applications. It is automated, business-wide and focuses on finding potential and known vulnerabilities on the network or an application level.

Vulnerability scans can regularly run on any number of IT assets to make sure that known vulnerabilities are detected and patched. Thus, you can quickly eliminate serious vulnerabilities to protect your business data.

An effective way to remediate vulnerabilities is to follow the vulnerability management lifecycle.

The Vulnerability Management Lifecycle is a cybersecurity best practice that helps strengthen the organization’s readiness to foresee and handle cyberattacks.

Briefly, it provides the following benefits:

  • Prioritization of available IT assets
  • Computer system vulnerability awareness
  • Assessment and remediation of weaknesses

Vulnerability management can be included in patch management for effective patching.

As expected, the necessary tools are usually run by network administrators or IT security staff with good networking knowledge.

Penetration Testing

Penetration tests are simulated cyberattacks against a computer system to check for exploitable vulnerabilities.

The scope of penetration testing is narrow and there is always a human factor involved. It requires an extremely experienced person to conduct this type of testing. Good penetration testers, at some point during their testing, create scripts, change parameters of an attack or tweak settings of the tools they are using.

Penetration testing (pen testing) involves breaching attempts of any application system, such as application protocol interfaces (APIs), servers (frontend/backend) to uncover vulnerabilities like excessive data exposure or broken function level authorization, etc.

Insights provided by the penetration test can be used to patch detected vulnerabilities followed by improving your IT security policies.

Pen testing could target an application or a network, but specific to a function, department, or number of assets (usually based on risk and asset importance). The whole infrastructure and all applications can be tested, but that is not practical in the real world mainly because of cost and time.

Spending a lot of money on low-risk IT assets, which may take a few days to exploit, is not feasible.

Penetration testing requires highly skilled personnel that can exploit new vulnerabilities or discover ones that are not specific to normal business operations.

Pen testing can take from a few days to a couple of weeks. It is often conducted once a year and has a higher-than-average chance of causing outages.

Companies should maintain reports on crucial equipment and should investigate any changes in open ports or services. Vulnerability scanners like Rapid7, Nessus, GFI LANGuard, Qualys, Retina alert network defenders when unauthorized changes are made to the environment. Comparing detected changes against change-control records will help determine if the change was authorized or if there is a cybersecurity threat, such as a malware infection or a staff member violating security protocols.

Penetration testing satisfies some of the compliance requirements for security auditing procedures, including SOC2 and PCI-DSS. Certain standards, such as PCI, can be satisfied only by using a certified web application firewall (WAF). However, it doesn’t make pen testing less useful due to its benefits and ability to improve the WAF configuration.

Testing Methods

Internal testing

In this scenario, a pen tester with access to an application behind its firewall simulates an attack by a malicious insider. A starting scenario can be an employee whose login information were stolen because of a successful phishing scheme.

Targeted testing

In a targeted test, the pen tester and the security personnel work together sharing the same strategy. This is a valuable training exercise that provides a security team with real-time feedback from an attacker’s standpoint.

External testing

External pen testing, also known as Black Box penetration testing, target the IT assets of a company that are visible on the internet, as for instance, the organization website, email and domain name servers, etc. The tester’s goal is to gain unauthorized access and extract sensitive data.

Blind testing

In a blind test, the tester is only given the name of the organization that’s being targeted. This gives security personnel first-hand experience into how an actual cyberattack would take place.

Double-blind testing

In a double-blind test, the security staff is not aware of the simulated attack. So, they won’t have any time to double check their defenses before an attempted breach.

Routine check for vulnerabilities

Fortunately, a routine check for vulnerabilities will lead to frequent upgrades for patches. This will help your computer system stay on top of the latest threats that develop in the realm of cybersecurity. However, vulnerability scanning and penetration testing are both crucial to an efficient cybersecurity strategy.