CMMC Compliance Requirements:
Everything You Need to Know in 2022

The expanding role of CMMC compliance

2019 - CMMC compliance is currently a requirement only for businesses that contract for the DoD.

General Services Administration (GSA) has suggested that CMMC compliance should become a mandate for all types of government contractors.

"CMMC has been touted as a potential standard that could expand beyond the Defense Industrial Base (DIB) to cover all government contractors.”

Ensuring that existing partners and suppliers follow cybersecurity compliance rules.

Vetting new partners and suppliers to assess their cybersecurity hygiene.

Helping guide cybersecurity teams in determining which controls and processes to use to mitigate risks within supply chains.

CMMC – unlike most other compliance frameworks – was designed specifically to help mitigate supply chain cyber security threats. It offers an excellent foundation for managing supply chain threats no matter which type of business you operate. Businesses that can’t demonstrate CMMC compliance are at risk of being seen as insecure by partners and suppliers. They may also struggle to establish Vendor Disclosure Programs that their customers require to manage supply chain risks. And they could face financial damages as a result of supply chain breaches.

Managing upstream and downstream
supply chain risks with CMMC

Although it’s common to talk about “supply chain cyber security” as if it were a singular endeavor, supply chains actually include two main parts:


This part of the supply chain includes the suppliers and vendors who deliver the resources your company needs to provide its own goods or services.


The downstream component of the supply chain consists of the processes required to deliver your business’s goods and services to distributors, customers and end-users.

Comply with legal
cybersecurity mandates

Continuously monitored for
cybersecurity risks

Maintain up-to-date contracts that define their cybersecurity

Report vulnerabilities quickly in the
event that they suffer a breach – which
in turn means that your supply chain is breached

For your own business protects the downstream portion of your supply chain. It gives your distributors and customers confidence in your commitment to cybersecurity standards, which will in turn help you win and retain more customers. CMMC compliance also ensures that you have the safeguards and controls in place to mitigate the impact of a breach rapidly, in order to keep its impact on your downstream supply chain as small as possible.

Adjusting to CMMC 2.0
compliance changes

The prospect of meeting CMMC compliance requirements may seem daunting – and it should be. While all compliance frameworks tend to be complex, the CMMC takes the cake for establishing especially rigid and complicated requirements – which is part of the reason that, historically, businesses have hired expensive consultants to help manage their CMMC compliance programs.

The state of Cybersecurity Maturity Model Certification (CMMC) is changing. The federal government in 2021 issued a new version of the framework, CMMC 2.0, that is designed to simplify compliance requirements for contractors.
Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three, while also making it easier for contractors to self-certify their compliance.

You may no longer need to pay consultants to guide you through the CMMC compliance process, but you do need comprehensive cybersecurity monitoring tools in place that allow you to identify and respond to risks across all segments of your supply chain.

Understanding the new CMMC compliance levels

To be more specific, CMMC compliance under the updated version requires the ability to meet requirements associated with the three new compliance levels:


Six to eight weeks

The most basic level of compliance requires the ability to meet seventeen NIST SP 800-171 controls. They consist mostly of standard cybersecurity controls, like implementing basic authentication and encryption protections.


Three to eight months

The advanced CMMC compliance level requires meeting all 110 of the NIST SP 800-171 controls – including not just implementing basic protections but also reacting quickly to breaches and protecting against remote threats.


Up to a year

Expert compliance requires meeting controls from SP 800-172 in addition to all of the SP 800-171 controls. SP 800-172 includes requirements such as implementing threat hunting programs and enforcing least privilege.

Businesses can self-attest their achievement of the first two compliance levels. Expert compliance certification requires review by the federal government.

Determining your CMMC compliance level

Every business needs to achieve at least Foundational CMMC compliance in order to do business with the DoD. But ideally, every business should achieve Expert-level CMMC compliance.

Whether it’s practical for your company to get to Expert-level compliance – and whether it’s a worthwhile goal – requires evaluation of several factors.

You should also perform an assessment of your supply chain and the vendors in it.
Do your vendors have a history of breaches that could jeopardize your supply chain cyber
security? Do they already demonstrate cybersecurity compliance, or has that historically been a challenge for them? The stronger the cybersecurity hygiene of your vendors, the easier it will be for you to achieve Expert-level compliance.

Consider, too, the cost of CMMC compliance. Even if you self-attest, collecting and reporting the data required to certify your compliance can require a significant investment of resources. And the more controls you need to meet, the higher your compliance costs will be.

Also, CMMC compliance must be demonstrated on a yearly basis in order to meet the government’s requirements. Of course, you can streamline compliance reporting costs by using tools that can automatically assess risk for you. These tools can drastically cut down on resource costs and time spent on manual processing.

CMMC compliance as a foundation for ESG compliance

CMMC is an excellent starting point for meeting goals associated with Environmental, Social and Governance (ESG) compliance – something that customers and investors increasingly look for.


According to Kobi Freedman, Founder and CEO of Findings,


“Making our world better and helping to improve our society is part of our vision as a company. We observed the rapidly growing demand of our customers to adopt ESG practices in our platform and think it is an enormous opportunity which perfectly aligns with our values.”

CMMC is an excellent starting point for meeting goals associated with Environmental, Social and Governance (ESG) compliance – something that customers and investors increasingly look for.

According to Kobi Freedman, Founder and CEO of Findings,

When you secure your supply chain with the help of CMMC, you are in a stronger position to achieve ESG compliance as well for two main reasons:

Supply chain protection mitigates the risk of data leakage that could expose financial information, personal data or other types of information that harm your business’s reputation as a socially responsible company.
Supply chain attacks that disrupt industrial plants, manufacturing facilities or similar infrastructure may lead to pollution, toxic waste release or similar issues that harm your business’s image as an environmentally responsible company.

Preventing supply chain attacks with Findings

Findings help businesses of all types to meet CMMC compliance requirements as part of a supply chain protection strategy.
Using automated reporting, Findings allow businesses to validate that their vendors adhere to cybersecurity standards associated with frameworks like CMMC, such as the NIST SP 800-171 and SP 800-172 controls. At the same time, Findings allows companies to demonstrate their own compliance to customers.
And, because Findings collects supply chain data, evaluates risks and generates reports automatically, you don’t need to worry about human error when managing supply chain risks. Nor does supply chain protection need to require a tremendous investment of staff time and company resources.
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!