Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog

What You Need to Know About CMMC—From our Director of Government Strategy & Affairs Morgan Kaplan

Published 04/16/2025

Home
Industry Insights
What You Need to Know About CMMC—From our Director of Government Strategy & Affairs Morgan Kaplan

Originally published by Vanta.

Written by Lucia Giles.

 

The Cybersecurity Maturity Model Certification (CMMC) program was developed by the Department of Defense (DoD) to ensure that defense contractors and subcontractors meet the cybersecurity requirements needed to safely and responsibly handle government data. Of primary concern is how commercial vendors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

‍The new CMMC program is officially live, and certification requirements will start appearing in contracts around mid-2025.

‍To mark the occasion, we asked the Director of U.S. Government Strategy & Affairs at Vanta, Morgan Kaplan, to answer some questions about CMMC. 

‍Morgan previously served as the senior policy lead at Palantir Technologies and brings expertise at the intersection of US defense policy, emerging technology, and public-private partnerships to Vanta. Below, he shares how you—as a current or potential future contractor for the DoD—can get CMMC certified.

What is the goal of CMMC, and why was it created?

“The new CMMC program is the product of numerous government initiatives over the course of many years to ensure that commercial vendors working with the DoD are held to a level of cybersecurity responsibility that such collaboration demands. 

In general, a key strategy for the Pentagon has been to expand and deepen its partnership with the private sector because, in order to meet 21st-century threats, the DoD must be able to leverage the effectiveness and efficiency of commercial products and solutions. However, as commercial providers become more integral to Defense work and supply chains, they also expand the attack surface of national security-related information and cybersecurity risk. This is why, for example, you will see CMMC explicitly discussed in the DoD’s recently released National Defense Industrial Strategy Implementation Plan.

The CMMC program is a necessary measure to protect defense contractors—and subsequently the DoD itself—from increasing cyber risk. At the same time, it’s a recognition of how mission critical commercial providers have become to the U.S. defense community and its supply chains.”

How will CMMC impact commercial vendors?

“Making sure that commercial providers are appropriately handling and securing government data is a national security necessity. While there is some concern that the new CMMC requirements may inadvertently direct less-resourced, non-traditional firms away from the defense market, that’s certainly not the DoD’s intent and they are working hard to make additional resources available to the Defense Industrial Base (DIB).

The question is, how can we ensure that commercial vendors are held to necessary cybersecurity standards while also ensuring a strong and healthy DIB where more providers want to do business with the DoD? 

This is where I think companies can help make a difference. By leveraging automation and continuous monitoring capabilities, we believe that software can help firms—big or small—lower the cost of achieving and verifying their compliance. While getting up to speed with CMMC will require contractors to devote additional resources to cybersecurity, it’s important that we find ways to bring the costs of effective cybersecurity and compliance down—without making any sacrifices to the necessary standards—so we can bring the rate of compliance up. That’s something the entire community should be deeply committed to.”

What are the different CMMC certification levels?

“There are three levels of CMMC certification based on the type of information contractors and subcontracts handle as part of the DoD contract in which they are engaged. Each CMMC level builds on the previous to include additional sets of controls. For example, while Level 2 pulls from NIST 800-171r2, Level 3 pulls from NIST 800-171r2 and further controls from NIST 800-172. Each level also has unique assessment requirements. 

CMMC Level Focus Area Assessment Requirements
Level 1 Focuses on protecting FCI
  • Annual self-assessment
  • Annual affirmation of compliance with 15 security requirements in FAR clause 52.204-21
Level 2 Focuses on broad protections of CUI
  • Either a self-assessment or a C3PAO assessment every three years
  • Annual affirmation of compliance with the 110 security requirements in NIST SP 800-171 Revision 2
Level 3 Focuses on higher level protections of CUI and requires advanced cybersecurity capabilities
  • Assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years
  • Annual affirmation of compliance with the 24 identified NIST SP 800-172 requirements

The DoD has a lot of great resources to help clarify the process, and I highly encourage vendors to review both the recently-released CMMC final rule (32 CFR Part 170) and the DoD’s CMMC program website closely.” 

How do I know which level of CMMC certification I need?

“The CMMC program is enforced via contracts, meaning that the level of certification required will soon be listed in contracts and Request for Proposals (RFPs). However, if you already have a contract with the DoD and you have not been told what level of certification you will require, you should reach out to your contracting officer to confirm what level you need based on that specific contract. Additionally, if you are a subcontractor and have questions about the certification level required, we recommend contacting your prime contractor.

If you don’t have an active DoD contract but are currently pursuing one, it is best to start the conversation early, working with the specific Program Executive Office (PEO) or Program/Project Management Office (PMO) to confirm which level will be required. They should have all the information for you. 

Finally, it’s worth noting that CMMC program implementation will be rolled out in phases starting in mid-2025, so just keep checking in with your main points of contact for clarity on what level and type of assessment is needed and when.” 

Is this a one-time thing? Once I’m certified, what’s next?

“CMMC is not a one-and-done certification. The goal is to create a continuous and sustainable state of cybersecurity maturity. Therefore, once certified, you still have to maintain and affirm compliance so long as your business is still working on a DoD contract. At the very least, this involves—for all levels—a self-affirmation each year. However, Level 2 and Level 3 require a new assessment every three years. For that reason, it’s critical to monitor your controls continuously and ensure you remain in compliance.” 

Is CMMC different from FedRAMP? Do I need both? 

“We get this question a lot. The short answer is, ‘yes’ they are different. While there are some important commonalities—for example, both FedRAMP Moderate and CMMC Levels 2 and 3 share many of the same baseline NIST requirements, and vendors can use a FedRAMP Moderate or FedRAMP Moderate equivalency to streamline CMMC certification—CMMC and FedRAMP are ultimately different programs with different requirements managed by different agencies.

Additionally, while FedRAMP is applicable to cloud service providers across the federal government, CMMC is applicable to vendors working explicitly with the DoD, regardless of whether they are providing cloud-based services or not.

Depending on your business, you may need to comply with both CMMC and FedRAMP.”

What are some potential challenges with CMMC certification, and how can I avoid them? 

“If you’re just now learning about the new CMMC program, it probably feels like there’s a lot to take in. But not to fear, there is an entire community—policymakers, DoD officials, industry providers, and non-profits—committed to ensuring that every company that wants to join the DIB and contribute to the mission is able to.

We do have a few tips for success, especially for organizations that are either resource-constrained or very early in their cybersecurity maturity. 

First, as with managing compliance for any other framework, manual documentation processes can overburden IT teams, slowing down data collection and limiting your ability to conduct continuous monitoring. The key is to identify tools that can help you simplify the management of your readiness and assessment process, both for the initial assessment and for future affirmations. For something like CMMC, a spreadsheet with manual updates will probably cost you more time and money in the long run.

Second, ask a lot of questions. Overcommunicate with your PEO/PMO, contracting officers, prime contractor, cybersecurity and GRC providers, implementation partner, C3PAOs, etc. As I’ve already mentioned, there’s an entire ecosystem of people and organizations who are in the weeds of CMMC policy and implementation on a daily basis. They’re ready to help. Be proactive, and don’t go it alone.

Finally, don’t wait. This is particularly relevant for companies with an existing or upcoming contract that could be at risk due to non-compliance. There are also benefits to pursuing certification earlier in the contracting lifecycle—showing CMMC certification (or progress towards it) can send a strong signal to prospective DoD customers that you can fulfill the necessary contract requirements, particularly as they relate to data and information protection. 

Overall, the CMMC program represents a new chapter for public-private partnerships in the domain of cybersecurity and defense, and it's an important step for us all to take together.”

ComplianceIndustryStandards

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Managed Business Continuity Cloud Solutions
Read the State of SaaS Security Report 2025
Register now to attend this free Summit, June 11–12!
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Implementing CCM: Enterprise Risk Management Controls

Published: 04/25/2025

Phishing Tests: What Your Provider Should Be Telling You

Published: 04/24/2025

Prioritizing Continuity of Care in the Face of Cyber Risks in Healthcare

Published: 04/22/2025

AI and Privacy 2024 to 2025: Embracing the Future of Global Legal Developments

Published: 04/22/2025