How to Prepare for CMMC 2.0 Assessment and Certification
The Cybersecurity Maturity Model Certification (CMMC) program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC applies to DoD contractors and subcontractors.
DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020, followed later that year by version 1.02. More recently, in November 2021, DoD released the most current version, CMMC 2.0.
In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification 2.0 program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.
Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. In November 2021, DoD announced the program was getting a revamp and that a number of changes would be included in CMMC 2.0, thereby eliminating previous guidelines established in CMMC 1.0.
One of the biggest changes is that the new version streamlines the CMMC model down from five certification levels to three, which more closely align with NIST 800-171 and NIST 800-172, and creates minimum standards for how organizations handle CUI information in non-federal information systems.
Like the original CMMC, the new standards will apply to all contractors and subcontractors wanting to bid on or renew DoD projects, although in the interim, those requirements are not included in RFPs or RFIs.
At its heart, CMMC is an extension of the Controlled Unclassified Information (CUI) program, which the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework based on version 1.0 in the Apptega cybersecurity and compliance management platform. When the framework for CMMC 2.0 is finalized, it will quickly be updated within the system. Once ready, Apptega can help you easily identify which CMMC certification level is appropriate for your organization and will guide you with predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher).
When CMMC 2.0 rulemaking is finalized, those requirements will be included in new RFPs and RFIs. Likewise, if you use contractors or subcontractors related to an awarded DoD contract, those contractors and subcontractors should also be CMMC certified.
While we’re still waiting on the finalized details of CMMC 2.0, check out this video demo of how Apptega helped organizations with the initial 1.0 requirements. It’s a great way to see how Apptega can help you effectively manage and report on compliance.
In this on-demand video, you can learn more about how Apptega can help you:
Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC 2.0.
Apptega key features:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
Tips for CMMC Assessment Preparation: CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. While CMMC 1.0 did not allow self-assessments for CMMC certification, CMMC 2.0 permits self-assessments for level 1 certification, and in some instances for level 2.
Regardless, if you’re planning a self-assessment for a certification or if you’re making sure you’re in a good place before you undergo a third-party or government-led certification assessment, here are a couple of tips to help you prepare:
Searching for guidance, assistance or tools as you prepare for CMMC 2.0?
The CMMC Marketplace in CyberXchange is a great resource. If you know you have compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.
“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” — Ed Myers, Cape Henry Compliance Director
Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.
This white paper examines:
Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.
While CMMC 2.0 implementation dates are still ongoing and could change yet again, now is not the time for organizations to sit back and wait to see what happens next. Instead, if you believe you’re going to work with the DoD on these contracts, you may already be behind the eight ball if you haven’t started yet. So, what can you do? Here are 4 suggestions to help ensure you’re on the right track when phased implementation begins.
Read More
The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.
Read More
Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for self-assessment or third-party certification. You can even use it to map your existing NIST 800-171 or NIST 800-172 practices to your CMMC certification goals. Learn how Apptega helps organizations with access to tools to help develop a framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time.
Read More
Is your organization struggling to grasp where to start with its CMMC compliance strategy? Hear from Carter Schoenberg, CISSP/ CMMC-RP and Vice President of SoundWay Consulting Inc. and Armistead Whitney, CEO of Apptega, as they talk through a reasonable timeline and budget to conform with CMMC, what your actionable next steps should be, and reducing your exposure to a breach of contract with the DoD.
Watch Now
If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.
Watch Now
