How to Prepare for CMMC 2.0 Assessment and Certification
The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC 2.0 applies to DoD contractors and subcontractors.
DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020. Version 1.02 was released in March. It is not retroactive for existing contractors; however, if your organization wants to bid on new contracts or renew an existing contract, you must be CMMC-certified.
In November 2021, the organization released CMMC model version 2.0 that consolidated the original 5 certification levels into 3 certification levels.
In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.
Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. CMMC standards apply to contractors and subcontractors wanting to bid on DoD projects.
CMMC is an extension of the Controlled Unclassified Information (CUI) program, a program the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
CUI standards are guided by a framework from the National Institute of Standards and Technology (NIST), NIST SP 800-171, which creates minimum standards for how organizations handle CUI information in non-federal information systems.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework in the Apptega cybersecurity and compliance management platform. With Apptega, you can easily identify which CMMC certification level is appropriate for your organization and use predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher) based on your relationship. Likewise, if you use contractors or subcontractors related to a DoD contract, those contractors and subcontractors should also be CMMC certified. Also, even if your organization doesn’t access CUI, but you have access to FCI, you should be CMMC-certified.
DoD contractors must be certified at least at CMMC Level 1; however, more advanced cybersecurity measures may be required based on the nature of your organization and contractual agreement. We’ll go into more detail in another section below, but the five core CMMC certification levels are Level 1: Perform, Level 2: Document, Level 3: Manage, Level 4: Review, and Level 5: Optimize.
Because of the increasing number of cyber threats across all industries, and especially those emanating from foreign bad actors, the DoD’s Defense Industrial Base (DIB) is in the crosshairs for cyber attackers.
Since 2018, DoD contractors and subcontractors have been expected to meet NIST 800-171 compliance standards and take steps to protect all non-classified protected information as part of the government’s Controlled Unclassified Information (CUI) program. While many organizations developed their own security practices to safeguard CUI, overall, there was no common framework for holding organizations accountable. For this reason, the government released CMMC v1.0 in early 2020.
Drawing on NIST 800-171, the CMMC standards also pull from other frameworks best practices including NIST 800-53, ISO 27031, and ISO 27032. Together, they encompass a unified set of security standards that cover 17 domains from access control to system and information integrity.
CMMC requirements are expected to be included in all Requests for Information (RFIs) and Requests for Proposals (RFPs) from the Department of Defense for new contracts and renewals in 2020, so now is the time to build your CMMC framework to ensure you’ll ace that audit when it’s time to get your certification. Apptega can help. Apptega can help you effectively manage and report on your CMMC compliance.
In this on-demand video, you can learn more about how Apptega can help you:
Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC.
Apptega key features:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
The Cybersecurity Maturity Model Certification consists of 171 practices spanning five CMMC certification levels. Level 1, Perform, is the lowest CMMC level and covers basic cyber hygiene practices. Levels 2-5 are designed to mature your cybersecurity practices ranging from implementation of immediate cyber hygiene to advanced and progressive practices.
All CMMC levels, processes, and practices are cumulative beginning at Level 1. DoD will list CMMC level requirements in each RFI and RFP.
In the CMMC Compliance Domains and CMMC Capabilities sections below, we’ll take a deeper dive into the practices and processes related to each level. Before we do, we've provided a high level overview in the CMMC Certification Levels section below.
To assist DoD contractors seeking CMMC certification, an independent, nonprofit organization, CMMC Accreditation Body (CMMC-AB), was created in early 2020.
CMMC-AB oversees consultants and organizations certified to provide assistance for CMMC certification preparation. These assistants are either Registered Practitioners (RPs) or Registered Provider Organizations (RPOs):
CMMC-AB also oversees individuals and organizations certified to conduct CMMC certification assessments. These assessors are either Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs):
You can find a list of assessors in the CMMC Marketplace.
CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. There are no self-assessments for CMMC certification, however, you are encouraged to complete a self-assessment before you set an appointment for your formal CMMC assessment
Here are a few quick tips to help you prepare for your CMMC assessment:
Searching for guidance, assistance or tools as you prepare for CMMC certification?
The CMMC Marketplace in CyberXchange is mapped to all the controls defined in each of the CMMC Levels. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.
“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” — Ed Myers, Cape Henry Compliance Director
Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.
This report examines:
Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.
The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.
Read More
CMMC certification sets five core levels for compliance. Every DoD contractor and subcontractor should meet at least Level 1, which covers basic hygiene and will likely be applicable to many smaller contractors. Larger, more sophisticated projects will likely require higher certification levels, like Levels 4 and 5, which demonstrate highly-matured and well-documented cybersecurity practices to protect CUI. But what happens for mid-sized contractors? How do you know which certification level is right for the contract you’re interested in? Check out this blog to explore some of the benefits and risks related to CMMC.
Read More
Are you evaluating a move to Microsoft GCC or GCC High as you prepare for CMMC? Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for certification. You can even use it to map your existing NIST 800-171 practices to your CMMC certification goals. This new standard may affect more than 300,000 organizations, so if you’re one of them, you’ll want to have access to great tools that can help you develop your framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time. Check out this post to learn more about how Apptega can help you be confident in your CMMC compliance strategies and have clear insight into how you’re doing at any time.
Read More
Are you preparing for CMMC certification? Trying to determine your CMMC readiness and next steps? If you have questions and are seeking guidance, you’re not alone. Watch our recorded webinar now to hear the latest updates and recommendations from CMMC-AB and SecureStrux.
Watch Now
If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.
Watch Now
