an image of a computer screen with a blue background.

Websites to Meet CMMC Requirements

Overview of the CMMC Program Level  

The CMMC Program aligns with the Department’s existing information safeguarding requirements for the DIB. The program provides the DoW with increased assurance that prospective contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that will process, store, or transmit FCI or CUI during contract performance. 

Key features of the CMMC Program

  • Tiered Model: CMMC assesses compliance with cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. The program also outlines protection requirements for information flowed down to subcontractors. 
  • Assessment Requirement: CMMC assessments allow the Department to verify DIB implementation of foundational cybersecurity standards. 
  • Implementation through Contracts: DoW contractors and subcontractors entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award. 
A chart summarizing CMMC Model levels 1 to 3, listing the number of requirements, assessment types, and certification intervals for each level.
Infographic outlining key CMMC web requirements for levels 1–2: HTTPS, MFA, vulnerability management, audit/logging, and secure media disposal, each with corresponding icons.

Key CMMC Web Requirements (Levels 1-2)

  • Secure Transport (HTTPS): All website interactions involving FCI/CUI must use encrypted protocols to prevent eavesdropping and data tampering. 
  • Authentication & Access Control (AC/IA): Websites must implement secure login mechanisms, including multi-factor authentication (MFA) for CUI access, unique IDs for users, and session management. 
  • Web Vulnerability Management: Regular scanning and patching for web vulnerabilities (e.g., OWASP Top 10), such as SQL injection, cross-site scripting (XSS), and improper input validation. 
  • Audit and Accountability (AU): Maintaining logs of user activities on the website, including login attempts, data access, and administrative actions. 
  • Media Protection (MP): Ensuring that data cached or stored by the website is properly protected and disposed of when no longer needed. [1, 2, 3, 4, 5] 

CMMC Level Breakdown

  • Level 1 (FCI): Focuses on basic security controls from FAR 52.204-21, such as password management and restricted access. 
  • Level 2 (CUI): Aligns with NIST SP 800-171, requiring more comprehensive controls, including advanced authentication, session encryption, and proactive vulnerability scanning.  
A three-tiered pyramid diagram shows CMMC Levels 1 to 3, detailing requirements at each level; most DIB contractors are indicated to fall under Level 2.
A four-phase timeline outlines CMMC implementation, detailing start dates, certification level requirements, and contract conditions from November 2025 to November 2028.

Actions to Ensure Compliance

  • Map Data Flows: Identify if your website processes, stores, or transmits CUI or FCI. 
  • Conduct Web Assessments: Run vulnerability assessments to ensure security best practices are implemented. 
  • Document Security Policies: Ensure the System Security Plan (SSP) details website security measures.