Learn how to prepare for CMMC certification
Cybersecurity Maturity Model Certification is required for contractors and subcontractors bidding on or renewing the Department of Defense contracts.Learn More
With 171 sub-controls spanning five levels, CMMC compliance can be challenging, especially at higher levels. Learn how you can adopt the framework and mature your program.Learn More
Contractors and subcontractors bidding on or renewing contracts with the Department of Defense should be CMMC-certified at least at Level 1 or higher.Learn More
Think your organization is ready to complete an accredited CMMC assessment? Here’s a look at how assessments work and who does them.Learn More
There are five levels of CMMC certification. The Department of Defense will list certification level requirements in all RFIs and RFPs.Learn More
There are 17 core domains at the heart of CMMC certification. Domains are introduced at Level 1 and related practices help mature your program as the levels increase.Learn More
There are 43 CMMC capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities for the five levels.Learn More
CMMC certification levels 2-5 assess your organization’s cybersecurity process maturity so you can create consistent, repeatable, high-quality processes.Learn More
While NIST 800-171 and CMMC certification are not the same, they are complementary, and you can map your CMMC and NIST 800-171 frameworks to each other.Learn More
Want to learn more about how to align your NIST 800-171 practices with your CMMC certification journey? Check out this webinar.Learn More
Have questions about CMMC compliance? This CMMC frequently asked questions section is a great place to start.Learn More
See how you can develop and manage your CMMC framework with ease in Apptega. You can even use Apptega to manage (and crosswalk) multiple frameworks in one platform.Learn More
Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. CMMC standards apply to contractors and subcontractors wanting to bid on DoD projects.
CMMC is an extension of the Controlled Unclassified Information (CUI) program, a program the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
CUI standards are guided by a framework from the National Institute of Standards and Technology (NIST), NIST SP 800-171, which creates minimum standards for how organizations handle CUI information in non-federal information systems.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework in the Apptega cybersecurity and compliance management platform. With Apptega, you can easily identify which CMMC certification level is appropriate for your organization and use predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher) based on your relationship. Likewise, if you use contractors or subcontractors related to a DoD contract, those contractors and subcontractors should also be CMMC certified. Also, even if your organization doesn’t access CUI, but you have access to FCI, you should be CMMC-certified.
DoD contractors must be certified at least at CMMC Level 1; however, more advanced cybersecurity measures may be required based on the nature of your organization and contractual agreement. We’ll go into more detail in another section below, but the five core CMMC certification levels are Level 1: Perform, Level 2: Document, Level 3: Manage, Level 4: Review, and Level 5: Optimize.
Because of the increasing number of cyber threats across all industries, and especially those emanating from foreign bad actors, the DoD’s Defense Industrial Base (DIB) is in the crosshairs for cyber attackers.
Since 2018, DoD contractors and subcontractors have been expected to meet NIST 800-171 compliance standards and take steps to protect all non-classified protected information as part of the government’s Controlled Unclassified Information (CUI) program. While many organizations developed their own security practices to safeguard CUI, overall, there was no common framework for holding organizations accountable. For this reason, the government released CMMC v1.0 in early 2020.
Drawing on NIST 800-171, the CMMC standards also pull from other frameworks best practices including NIST 800-53, ISO 27031, and ISO 27032. Together, they encompass a unified set of security standards that cover 17 domains from access control to system and information integrity.
Contractors wanting to bid on or renew a contract with the DoD must become CMMC-certified. There are five CMMC certification levels that range from basic to mature cybersecurity practices. Level 1, for example, includes only the first 17 sets of controls that cover basic cyber hygiene, while Level 5 encompasses all 171 controls and is the highest level of CMMC certification.
In this CMMC compliance guide, you’ll learn more about:
CMMC requirements are expected to be included in all Requests for Information (RFIs) and Requests for Proposals (RFPs) from the Department of Defense for new contracts and renewals in 2020, so now is the time to build your CMMC framework to ensure you’ll ace that audit when it’s time to get your certification. Apptega can help. Apptega can help you effectively manage and report on your CMMC compliance.
In this on-demand video, you can learn more about how Apptega can help you:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
The Cybersecurity Maturity Model Certification consists of 171 practices spanning five CMMC certification levels. Level 1, Perform, is the lowest CMMC level and covers basic cyber hygiene practices. Levels 2-5 are designed to mature your cybersecurity practices ranging from implementation of immediate cyber hygiene to advanced and progressive practices.
All CMMC levels, processes, and practices are cumulative beginning at Level 1. DoD will list CMMC level requirements in each RFI and RFP.
In the CMMC Compliance Domains and CMMC Capabilities sections below, we’ll take a deeper dive into the practices and processes related to each level. Before we do, we've provided a high level overview in the CMMC Certification Levels section below.
At the Perform level, your organization must perform the specific practices outlined. Process maturity is not assessed at Level 1, so it’s possible your organization may take an ad-hoc approach to these processes, including documentation. Practices in Level 1 focus on protecting federal contract information (FCI) and are related to basic safeguarding for covered contractor information systems.
Unlike Level 1, the Document-level assesses maturity and requires that your organization creates and documents practices and policies related to CMMC. Your processes must be repeatable and in practice. Level 2 is a transitional stage from Level 1 to Level 3 and it’s designed to help your organization mature your program. It includes a subset of NIST 800-171 requirements and other practices as well as some security practices to protect CUI.
The Manage level requires your organization to create, maintain, and resource a plan outlining how you manage activities related to CMMC implementation including your goals, program mission, plans, resource information, training requirements, and which key stakeholders are involved with your CMMC program. Level 3 focuses on CUI protection, including standards from NIST 800-171 and other practices.
At the Review level, your organization must review and measure your practice effectiveness and be able to take corrective steps as needed, including informing higher-level management of your CMMC status and related issues. Like Level 3, Level 4 focuses on protecting CUI but goes deeper with a focus on advance persistent threats (APTs). It includes standards from NIST 800-171B and other practices. The goal is to help you better detect and respond to APT techniques, tactics, and procedures.
The Optimize level is the highest CMMC certification level. As part of Level 5 compliance, your organization must be able to standardize your security processes and optimize those processes for your entire organization. Level 5 focuses on protecting CUI and maturing your program’s depth and levels of sophistication.
At the heart of CMMC compliance are 17 core domains. Domains include security practices that encompass standards related to:
There are 43 total capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities (practices) spanning the five CMMC certification levels. We've listed each of the 17 CMMC domains, along with the capabilities that support each below.
1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
9. Media Protection
10. Personnel Security
11. Physical Protection
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity
CMMC certification levels 2-5 assess your cybersecurity process maturity. The objective is that if you embed these security processes within your organization, then it’s increasingly likely your team will accurately perform these activities consistently and in a repeatable, high-quality manner.Each CMMC domain and process has an extensive list of related practices, which are dependent on the CMMC certification level you need to obtain. For a complete list of these practices, check out the DoD’s CMMC guide for version 1.02.Here’s a list of CMMC processes as they’re related to each level:
Maturity Level: Performed
There are no maturity processes for Level 1. You must perform Level 1 practices, but you don't have to meet process requirements.
Maturity Level: Reviewed
Review and measure [related CMMC domain name] activities for effectiveness.
Maturity Level: Documented
Establish a policy that includes [related CMMC domain name]. Document CMMC practices use to implement [related CMMC domain name] policy.
Maturity Level: Optimizing
Standardize and optimize a documented approach for [related CMMC domain name] across all of your applicable organizational units.
Maturity Level: Managed
Establish, maintain, and resource a plan that includes [related CMMC domain name].
CMMC certification sets five core levels for compliance. Every DoD contractor and subcontractor should meet at least Level 1, which covers basic hygiene and will likely be applicable to many smaller contractors. Larger, more sophisticated projects will likely require higher certification levels, like Levels 4 and 5, which demonstrate highly-matured and well-documented cybersecurity practices to protect CUI. But what happens for mid-sized contractors? How do you know which certification level is right for the contract you’re interested in? Check out this blog to explore some of the benefits and risks related to CMMC.Read More
Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for certification. You can even use it to map your existing NIST 800-171 practices to your CMMC certification goals. This new standard may affect more than 300,000 organizations, so if you’re one of them, you’ll want to have access to great tools that can help you develop your framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time. Check out this post to learn more about how Apptega can help you be confident in your CMMC compliance strategies and have clear insight into how you’re doing at any time.Read More
If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.Watch Now
There are more than 20 major cybersecurity frameworks out there today, so how do you know which is right for your organization? How do you know which ones are complementary or can be mapped to one another? Check out this on-demand webinar to learn more about: How some of the more common frameworks are used; Similarities between popular frameworks; and How to manage frameworks for compliance.Watch Now
As with any compliance standards, organizations inherently face a number of challenges when adopting a new cybersecurity framework and working toward demonstrating compliance. Apptega’s cybersecurity and compliance management platform can help you create your CMMC certification framework, get instant insight into where you are right now in meeting your CMMC compliance goals, and help you identify and remediate gaps before you undergo a formal CMMC certification assessment.
Here are some other ways Apptega can help you simplify and manage your CMMC compliance: