<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">
 

Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0

How to Prepare for CMMC 2.0 Assessment and Certification

CMMC Certification Dashboard

Understanding CMMC 2.0

CMMC Reports

The Cybersecurity Maturity Model Certification (CMMC) program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC applies to DoD contractors and subcontractors. 

DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020, followed later that year by version 1.02. More recently, in November 2021, DoD released the most current version, CMMC 2.0.

In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification 2.0 program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.

Here’s What You’ll Learn:

What is CMMC?

Cybersecurity Maturity Model Certification is a set of standards designed to help organizations protect CUI and FCI when engaging in DoD contracts.

Learn More

Managing CMMC Certification

When CMMC 2.0 rulemaking is finalized, the new framework will be added to Apptega’s compliance management platform.

Learn More

Who Needs CMMC Certification?

All contractors and subcontractors bidding on or renewing contracts with the Department of Defense should be CMMC-certified at least at Level 1 or higher.

Learn More

New CMMC 2.0 Levels

CMMC 2.0 streamlines the CMMC model, decreasing the number of certification levels in CMMC 1.0 from five to three in version 2.0.

Learn More

Other CMMC 2.0 Changes

In addition to a streamlined model and requirements, there are several other important changes in the new version.

Learn More

CMMC 2.0 Timeline

Although key 2.0 changes have been announced, the current rulemaking process could take an additional nine to 24 months.

Learn More

NIST 800-171 and CMMC

While NIST 800-171 and CMMC certification are not the same, they are complementary, and you can map your CMMC and NIST 800-171 frameworks to each other.

Learn More

Preparing for CMMC Assessment

Think your organization is ready to complete an accredited CMMC assessment? Here’s a look at how assessments work and who does them.

Learn More

Understanding CMMC-AB

In 2020, DoD established the CMMC-AB to help certify assessors to complete DoD-approved third-party assessments.

Learn More

CMMC Marketplace

Need help finding CMMC tools, resources, or services that meet your organization’s specific needs? Check out CyberXchange.

Learn More

CMMC Case Study

Learn how one of our clients uses Apptega to help manage NIST and CMMC compliance and hear about its compliance success.

Learn More

CMMC White Paper

Need help preparing for CMMC? Check out this white paper with insights from real DoD contractors and subcontractors.

Learn More

CMMC Blog Snapshots

Curious about how to begin your Cybersecurity Maturity Model Certification journey? Check out these CMMC-related blogs for ideas and support.

Learn More

CMMC Webinar Snapshots

Want to learn more about how to align your NIST 800-171 practices with your CMMC certification journey? Check out this webinar.

Learn More

The Apptega Solution for CMMC Compliance

See how you can develop and manage your CMMC framework with ease in Apptega. You can even use Apptega to manage (and crosswalk) multiple frameworks in one platform.

Learn More

CMMC Certification FAQ

Have basic questions about CMMC compliance? This CMMC frequently asked questions section is a great place to start.

Learn More
What is CMMC?
Managing Compliance
CMMC Certified
What is CMMC?

What is Cybersecurity Maturity Model Certification?

Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).

The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. In November 2021, DoD announced the program was getting a revamp and that a number of changes would be included in CMMC 2.0, thereby eliminating previous guidelines established in CMMC 1.0.

One of the biggest changes is that the new version streamlines the CMMC model down from five certification levels to three, which more closely align with NIST 800-171 and NIST 800-172, and creates minimum standards for how organizations handle CUI information in non-federal information systems.

Like the original CMMC, the new standards will apply to all contractors and subcontractors wanting to bid on or renew DoD projects, although in the interim, those requirements are not included in RFPs or RFIs.

At its heart, CMMC is an extension of the Controlled Unclassified Information (CUI) program, which the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.

The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).

Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.

To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.

Managing Compliance
CMMC Implementation Dashboard

Managing CMMC Compliance with Apptega

You can find the CMMC framework based on version 1.0 in the Apptega cybersecurity and compliance management platform. When the framework for CMMC 2.0 is finalized, it will quickly be updated within the system. Once ready, Apptega can help you easily identify which CMMC certification level is appropriate for your organization and will guide you with predefined controls to build your framework and conduct an initial readiness assessment.

Reach your CMMC compliance goals by using Apptega to:

  • Assess your current compliance level
  • Identify gaps in your existing program
  • Manage remediation tasks to mature your CMMC practices
  • Map NIST 800-171 and CMMC using Apptega's Harmony capability
  • Improve your CUI security practices
  • Produce key data needed for your System Security Report (SSP)
  • Produce key data needed for your Plan of Action and Milestones (POA&M) report
  • Simplify your CMMC certification process
  • Ensure CMMC compliance with minimal overhead
  • Conduct a self-assessment where allowable for the new CMMC 2.0 certification levels
Get Demo
CMMC Certified

Who Needs to be CMMC-Certified?

Who Should Be CMMC-Certified?

If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified. 

If you’re unsure, answer the following questions:

  • Does your organization provide goods and services for DoD?
  • Are you a subcontractor for an organization that does direct business with DoD?
  • Is your organization expected to comply with DFARS 252-7012 and or NIST 800-171?
  • Is your current information security provider an approved CMMC independent assessor?
If you answered yes to any of these, you may need a CMMC certification. 

It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher).
When CMMC 2.0 rulemaking is finalized, those requirements will be included in new RFPs and RFIs. Likewise, if you use contractors or subcontractors related to an awarded DoD contract, those contractors and subcontractors should also be CMMC certified.

Learn More

CMMC Video Demo

While we’re still waiting on the finalized details of CMMC 2.0, check out this video demo of how Apptega helped organizations with the initial 1.0 requirements. It’s a great way to see how Apptega can help you effectively manage and report on compliance.

CMMC Certification Dashboard

In this on-demand video, you can learn more about how Apptega can help you:

  • Map your CMMC framework to NIST 800-171
  • Assess your CMMC readiness 
  • Manage risk remediation and compliance gaps
  • Create reports on all security controls for your System Security Plan (SSP)
  • Document risk assessments 
  • Document corrective actions (plans and status) for your POA&M

CMMC Compliance Framework

CMMC Design Dashboard

Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC 2.0. 

Apptega key features:

  • More than 16 security frameworks
  • Questionnaire-based assessments
  • One-click reporting
  • Real-time compliance scoring
  • Auditor viewing options
  • Policy and plan templates
  • Task Packs and automated task management
  • Assessments based on an easy-to-use questionnaire format

New CMMC 2.0 Levels

Level 1
Level 2
Level 3
Level 1

CMMC Certification Level 1: Foundational

CMMC 1.0 included five certification levels, but version 2.0 streamlines requirements down to three. It also removes the previous maturity processes and CMMC unique security practices. The new levels closely align with the National Institute of Standards and Technology (NIST) cybersecurity standards.

Level 1: Foundational

  • There are 17 practices that enables an annual self-assessment for certification. This is for organizations with FCI only.

Level 2

CMMC Certification Level 2: Advanced

  • There are 110 practices, which align with NIST SP 800-171. Triennial third-party assessments are required for prioritized acquisitions; however, self-assessments may be applicable for certain programs, such as non-prioritized acquisitions. This is for organizations with CUI.
Level 3

CMMC Certification Level 3: Expert

  • There are 110 practices at this level based on NIST SP 800-172. There are also triennial assessments for this level, but they are government-led assessments. This is for the highest priority programs with CUI.

We anticipate DoD will soon release the CMMC 2.0 model for Levels 1 and 2, their assessment guides, and scoping guidance. Level 3 information will follow when it’s available. Check back for updates on this page as soon as they’re available.

Other CMMC 2.0 Changes

In addition, to streamling the CMMC model and decreasing the number of certification levels, changes coming for CMMC 2.0 are likely to help reduce assessment costs for organizations. While some organizations that handle critical national security information at level 2 will need third-party assessments every three years, self-assessments can now be used to demonstrate compliance at level 1. That was not the case with CMMC 1.0. Also now in some cases, depending on CUI, self-assessments may be possible at level 2. Level 3, the highest level, will continue to require other assessments conducted by the government.

Another significant change between CMMC 1.0 and CMMC 2.0 is reflected in the implementation processes. In CMMC 1.0, organizations were expected to achieve contract-level certification requirements prior to a DoD contract award or renewal. However, with 2.0, organizations may be able to use Plans of Action & Milestones (POA&Ms) for certification.

There are a number of restrictions on these POA&Ms for certification. For example, they’re likely to be time-bound, possibly limited to no more than 180s days. And, while they may be permissible for some requirements, they will not be permitted for the highest weighted compliance requirements and will require a minimum score to achieve certification with the POA&M. 

Finally, CMMC 2.0 will also include the opportunity for waivers for some very limited circumstances such as mission-critical incidents. These waivers, which will require senior DoD approval, will only be awarded on a case-by-case basis, and like the POA&M’s, will be time-bound.

What Our Customers Are Saying

pete headshot
Dr. Pete Dowdy
Senior Director, Information Security, Envistacom

"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."

Thad Wellin Headshot
Thad Wellin
CMMC Lead, SecureStrux

"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

CMMC 2.0 Timeline

An Overview of CMMC 2.0 Timeline

In late 2020, DoD announced plans to review CMMC standards. As such, it released an interim rule to DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements. The rule paved the way for DoD to begin processes to change the CMMC program with a goal of building on the initial CMMC framework to further enhance the Defense Industrial Base (DIB) against evolving cybersecurity threats.

While the original framework was designed to protect CUI and FCI, it recognized there are evolving risks as the cybersecurity threat landscape changes, including advanced persistent threats (APTs). Proposed changes to the CMMC program are designed to help organizations better manage those risks, while ensuring CUI and FCI protections.

In March 2021, DoD initiated an internal CMM review. The review included evaluations of implementation and took into consideration some 850 comments received during a public comment period. The review and feedback helped DoD solidify five goals for the CMMC program:

  • To safeguard sensitive information to enable and protect the warfighter
  • To dynamically enhance DIB cybersecurity to meet evolving threats
  • To ensure accountability while minimizing barriers to DoD compliance requirements
  • To contribute to instilling a collaborative culture of cybersecurity and cyber resilience
  • To maintain public trust through high professional and ethical standards

There is a five-year phase-in period underway for CMMC 2.0.

While CMMC 2.0 goes through required rule-making processes, CMMC level information will not be included in DoD contracts.

Moving forward, DoD will be focused on completing mandatory rulemaking requirements for 32 CFR to establish the CMMC program, and 48 CFR to update contractual requirements in DFARS for program implementation.  

The rulemaking process could take between nine to 24 months. There will also be a 60-day public comment period and concurrent congressional review during this process. 

As DoD works to meet all of its rulemaking obligations, it will suspend its CMMC pilot program. DoD will also eliminate the requirements for mandatory CMMC certifications. However, once CMMC rulemaking is complete, organizations will be required to meet revised CMMC requirements as determined by the finalized regulations.

As this process continues, DoD is considering some incentives for organizations that voluntarily get a CMMC level 2 certification. The new level 2 is similar to level 3 in CMMC 1.0.

DoD also encourages all organizations in the DIB sector to continue efforts to enhance their cybersecurity posture during this time. Some organizations may find it helpful to conduct a self-assessment against NIST 800-171 to identify gaps and begin making plans to address them. DoD has also launched a website for Project Spectrum, which has an array of resources that can help organizations assess cyber readiness and improve security practices.

 Until the rulemaking process is finished, CMMC participation is voluntary.

Understanding NIST 800-171
& CMMC Certification

While DoD contractors and subcontractors have been expected to meet NIST 800-171 standards since at least 2018, self-attestation methods for compliance often varied from organization to organization. That’s why DoD implemented CMMC in 2020 with the goal of creating a verification method for compliance to compete for RFIs and RFPs.

CMMC compliance is not the same as NIST 800-171 compliance, but the two frameworks are complementary. The core difference is NIST 800-171 also includes non-federal organization (NFO) controls that aren’t part of CMMC. NIST 800-171, which was created in 2003, establishes a minimum set of standards that guide how organizations should safeguard CUI in non-federal information systems.

Preparing for a CMMC Assessment

Tips for CMMC Assessment Preparation: CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. While CMMC 1.0 did not allow self-assessments for CMMC certification, CMMC 2.0 permits self-assessments for level 1 certification, and in some instances for level 2.

CMMC Assessments

Regardless, if you’re planning a self-assessment for a certification or if you’re making sure you’re in a good place before you undergo a third-party or government-led certification assessment, here are a couple of tips to help you prepare:

  • Understand which CMMC level applies to your organization. Your CUI and FCI access may help you make this determination. When applicable, don’t forget to check new contract requirements. If you’re bidding on a new contract with a different type of CUI or sensitivity, you may need to certify at a higher level.
  • Explore your existing cybersecurity practices to identify where your existing practices align with CMMC and where you have gaps.
  • Assess your existing practices against NIST 800-171 and if you anticipate you may bid on more complex contracts, consider evaluating against NIST 800-172 as well.
  • Make a plan to remediate gaps.
  • Do an internal audit (self-assessment or with the assistance of an RPO) on your degree CMMC compliance
  • Connect with a CMMC assessor from the CMMC Marketplace to schedule an assessment.

Understanding CMMC-AB

What is the CMMC-AB and What Does it Do?

To assist DoD contractors seeking CMMC certification, an independent, nonprofit organization, CMMC Accreditation Body (CMMC-AB), was created in early 2020.

CMMC-AB oversees a community of consultants and organizations certified to provide assistance for CMMC certification preparation. These assistants are either Registered Practitioners (RPs) or Registered Provider Organizations (RPOs):

  • A Registered Practitioner (RP) provides assistance services to DoD contractors, conducting readiness assessments and preparing for the certification process. RPs are not allowed to conduct CMMC certification assessments.
  • A Registered Provider Organization (RPO) is authorized to represent itself as familiar with basic constructs of the CMMC standard, to deliver non-certified CMMC consulting services. These services are intended to assist DoD contractors with readiness assessments and certification preparation. RPO designation signifies the organization agrees to CMMC-AB Code of Professional Conduct. An RPO must have at least one Registered Provider on staff.

CMMC-AB also oversees the individuals and organizations certified to conduct the actual CMMC certification assessments. These assessors fall are either Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs):

  • A Certified Assessor (CA) has completed the background, training, and examination requirements outlined by CMMC-AB (at one of three levels) and has a certification. Assessors are not CMMC-AB employees.
  • A Certified Third-Party Assessment Organization (C3PAO) is an organization certified to conduct CMMC certification assessments for DoD contractors and provide consultative advice.

You can find a list of assessors in the CMMC Marketplace.

CMMC Marketplace

CMMC Marketplace

Searching for guidance, assistance or tools as you prepare for CMMC 2.0?

The CMMC Marketplace in CyberXchange is a great resource. If you know you have compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

CMMC & NIST 800-171 In Action

Cape Henry

Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.

“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” Ed Myers, Cape Henry Compliance Director

CMMC Whitepaper

CMMC Prep Study Cover

Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.

This white paper examines:

  • CMMC perspectives
  • Current NIST 800-171 compliance status
  • Approach and scope of CMMC preparation
  • Cost estimates

Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.

CMMC Blogs

12 Days of Cybersecurity Day 9 background

CMMC 2.0: Phased Implementation Begins This Year. Are You Ready?

While CMMC 2.0 implementation dates are still ongoing and could change yet again, now is not the time for organizations to sit back and wait to see what happens next. Instead, if you believe you’re going to work with the DoD on these contracts, you may already be behind the eight ball if you haven’t started yet. So, what can you do? Here are 4 suggestions to help ensure you’re on the right track when phased implementation begins.

Read More
CMMC Assessments Made Easy

Don't Delay CMMC: Get Started With a CMMC Self-Assessment Now

The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.

Read More
CMMC Certification Requirement

Apptega Adds Cybersecurity Maturity Model Certification (CMMC) to Its Growing List of Compliance Frameworks

Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for self-assessment or third-party certification. You can even use it to map your existing NIST 800-171 or NIST 800-172 practices to your CMMC certification goals. Learn how Apptega helps organizations with access to tools to help develop a framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time.

Read More

CMMC Webinars

CMMC Soundway Webinar

CMMC 2.0 - A Wait and See Game?

Is your organization struggling to grasp where to start with its CMMC compliance strategy? Hear from Carter Schoenberg, CISSP/ CMMC-RP and Vice President of SoundWay Consulting Inc. and Armistead Whitney, CEO of Apptega, as they talk through a reasonable timeline and budget to conform with CMMC, what your actionable next steps should be, and reducing your exposure to a breach of contract with the DoD.

Watch Now
NIST 800-171 & CMMC Minimize Risk

NIST SP 800-171 and CMMC: Minimize Your Risk of Losing Business Opportunities

If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.

Watch Now

Apptega Product Highlights

CMMC Compliance Made Easy With Apptega

As with any compliance standards, organizations inherently face a number of challenges when adopting a new cybersecurity framework and working toward demonstrating compliance. Apptega’s cybersecurity and compliance management platform can help you create your CMMC certification framework, get instant insight into where you are right now in meeting your CMMC compliance goals, and help you identify and remediate gaps before you undergo a formal CMMC certification assessment. 

Here are some other ways Apptega can help you simplify and manage your CMMC compliance:

  • Select from an ever-growing library of cybersecurity frameworks or create your own with configurable controls
  • Eliminate overhead and redundancy by consolidating frameworks in one platform
  • Access real-time scoring, task management, calendar events, collaboration, budgets, and vendor management all in the Apptega solution
  • Build, manage, and report on all your cybersecurity processes easily through a series of apps representing important controls within your program
  • Monitor specific controls and policies at a granular level
  • Access an easy-to-understand dashboard to quickly identify gaps and improve your security posture
  • Access preset checklists and already created policy and plan templates
  • Create audit-ready compliance reports and produce the data needed for your System Security Plan (SSP) and your Plan of Action and Milestones (POA&M) documents.
  • Rely on certified cybersecurity professionals for assistance and support

Trusted by Companies of All Sizes

International Auto Logistics Logo
Aadya Security
ENVISTACOM logo
Imprivata logo
Countertrade logo
IJM Logo
Cape Henry Logo

Frequently Asked Questions about CMMC (FAQs)

What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification, also known as CMMC, is a set of security standards designed to guide how organizations handle and protect controlled unclassified information (CUI) and federal contract information (FCI). It was created by the U.S. government and applies to Department of Defense (DoD) contractors and subcontractors wanting to bid on or renew DoD contracts. Every organization must meet at least Level 1 compliance, with two higher certification levels based on more complicated contract requirements and CUI access. DoD released CMMC version 1.0 in January 2020, version 1.02 in March 2020, and its most current version, 2.0, in late 2021.
Who guides CMMC?
The Department of Defense issues CMMC guidelines. Additionally, an independent, nonprofit organization known as the CMMC Accreditation Body was established in early 2020.CMMC-AB establishes and oversees a community of assessors that deliver assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program. In support of DoD contractors seeking certification, CMMC-AB established accreditation processes for Registered Practitioners (RPs), Registered Provider Organizations (RPOs), Certified Assessors (CAs), and Certified Third-Party Assessment Organizations (C3PAOs).
What is a CMMC Organization Seeking Certification (OSC)?
An organization, typically a DoD contractor, goes through a CMMC assessment certification process to receive a formal certification.
What is a CMMC Registered Practitioner (RP)?
A Registered Practitioner (RP) provides assistance services to DoD contractors, conducting readiness assessments and preparing for the certification process. RPs are not permitted to conduct CMMC certification assessments.
What is a CMMC Registered Provider Organization (RPO)?
An organization authorized to represent itself is familiar with the basic constructs of the CMMC Standard, to deliver non-certified CMMC consulting services. These services are intended to assist DoD contractors to conduct readiness assessments and prepare for the certification process. The RPO designation signifies that the organization has agreed to the CMMC-AB Code of Professional Conduct. An RPO must have at least one Registered Provider on staff.
What is a CMMC Certified Assessor (CA)?
An individual who has completed the background, training, and examination requirements as outlined by the CMMC-AB (at one of 3 levels) and to whom a certification has been issued. Assessors are not CMMC-AB employees.
What is a Certified Third-Party Assessment Organization (C3PAO)?
An organization that is certified to conduct CMMC certification assessments of DoD contractors and provide consultative advice.
Why is CMMC needed?
DoD contractors and subcontractors have been required to adhere to NIST 800-171 standards since 2018; however, there has not been a unified set of standards to ensure organizations meet those requirements. To unify accountability, the government created the Cybersecurity Maturity Model Certification (CMMC) program with the intent to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. It covers a range of cyber hygiene practices from foundational to advanced and finally expert, and outlines requirements for how organizations should handle and protect CUI.
What does it mean to be CMMC-certified?
To become CMMC-certified, your organization must successfully meet the requirements outlined in CMMC 2.0. While the rule making processes for CMMC are underway, those details have not yet been finalized, so check back soon for updates. We do know, however, that for the first time, organizations will be able to self-assess at level 1 and in some circumstances at level 2. Other parts of level 2 and level 3 will require certification from either a third-party certified assessor or the government. CMMC assessor-based certifications are valid for three years. The results of your CMMC assessment are not released to the public, nor is your CMMC certification level.
Who is subject to CMMC compliance?
All contractors and subcontractors bidding on new contracts or contract renewals are subject to CMMC compliance. If you work with contractors and/or subcontractors for related DoD contract work, those contractors and subcontractors must also be CMMC-certified.
What happens if you are not CMMC-certified?
If your organization is not CMMC 2.0 certified at the level outlined in future RFI or RFPs, you may be disqualified from participating in that contract.
What is a cybersecurity maturity assessment?
A cybersecurity maturity assessment is an assessment of your organization’s cybersecurity processes to determine how well your organization can protect your assets and data from cyber threats.
What are the three levels of CMMC 2.0 certification?
The three levels of CMMC certification Level 1: Foundational, which includes 17 practices and enables an annual self-assessment for certification; Level 2: Advanced, which includes 110 practices and requires a third-party assessment for prioritized acquisitions every three years and self-assessment for non-prioritized acquisitions; and Level 3: Expert, which includes more than 110 practices and requires a government-led assessment every three years.
What is CUI?
CUI stands for controlled unclassified information. CUI encompasses protected but unclassified information that requires additional safeguarding, security, and dissemination controls.
What is FCI?
FCI is federal contract information. FCI can include a range of information, for example, emails between DoD and contractors, policies and subcontracts, and other information shared through various communication channels.
What is the most current version of CMMC?
The most current version of CMMC is version 2.0, which was released in November 2021.
How long does a CMMC certification last?
With CMMC 2.0, a third-party or government-led certification should last three years, whereas self-assessments for level 1 should be annual.
Is there a CMMC compliance framework?
Yes. There is a CMMC compliance framework and it is available in the Apptega cybersecurity and compliance management platform. With the platform, you can map the CMMC framework to other frameworks, such as NIST 800-171.
How is CMMC related to NIST 800-171?
CMMC certification draws on many best practices outlined by NIST 800-171; however, certification processes for the two are not the same, and being compliant for one does not guarantee that you are compliant for the other.
Is CMMC certification the same as NIST 800-171 compliance?
No. CMMC certification and NIST 800-171 compliance are not the same. However, the two frameworks are complementary and you can map your CMMC framework to NIST 800-171. CMMC draws on many standards outlined by NIST 800-171, but NIST 800-171 also includes non-federal organization (NFO) controls.