<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0

How to Prepare for CMMC 2.0 Assessment and Certification

CMMC Certification Dashboard

Understanding CMMC 2.0

CMMC Reports

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC 2.0 applies to DoD contractors and subcontractors. 

DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020. Version 1.02 was released in March. It is not retroactive for existing contractors; however, if your organization wants to bid on new contracts or renew an existing contract, you must be CMMC-certified.

In November 2021, the organization released CMMC model version 2.0 that consolidated the original 5 certification levels into 3 certification levels. 

In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.

Here’s What You’ll Learn:

What is CMMC?

Cybersecurity Maturity Model Certification is a set of standards designed to help organizations protect CUI and FCI when engaging in DoD contracts.

Learn More

Managing CMMC Certification

When CMMC 2.0 rulemaking is finalized, the new framework will be added to Apptega’s compliance management platform.

Learn More

Who Needs CMMC Certification?

All contractors and subcontractors bidding on or renewing contracts with the Department of Defense should be CMMC-certified at least at Level 1 or higher.

Learn More

New CMMC 2.0 Levels

CMMC 2.0 streamlines the CMMC model, decreasing the number of certification levels in CMMC 1.0 from five to three in version 2.0.

Other CMMC 2.0 Levels

In addition to a streamlined model and requirements, there are several other important changes in the new version.

CMMC 2.0 Timeline

Although key 2.0 changes have been announced, the current rulemaking process could take an additional nine to 24 months.

NIST 800-171 and CMMC

While NIST 800-171 and CMMC certification are not the same, they are complementary, and you can map your CMMC and NIST 800-171 frameworks to each other.

Learn More

Preparing for CMMC Assessment

Think your organization is ready to complete an accredited CMMC assessment? Here’s a look at how assessments work and who does them.

Learn More

Understanding CMMC-AB

In 2020, DoD established the CMMC-AB to help certify assessors to complete DoD-approved third-party assessments.

CMMC Marketplace

Need help finding CMMC tools, resources, or services that meet your organization’s specific needs? Check out CyberXchange.

Learn More

CMMC Case Study

Learn how one of our clients uses Apptega to help manage NIST and CMMC compliance and hear about its compliance success.

CMMC White Paper

Need help preparing for CMMC? Check out this white paper with insights from real DoD contractors and subcontractors.

CMMC Blog Snapshots

Curious about how to begin your Cybersecurity Maturity Model Certification journey? Check out these CMMC-related blogs for ideas and support.

Learn More

CMMC Webinar Snapshots

Want to learn more about how to align your NIST 800-171 practices with your CMMC certification journey? Check out this webinar.

Learn More

The Apptega Solution for CMMC Compliance

See how you can develop and manage your CMMC framework with ease in Apptega. You can even use Apptega to manage (and crosswalk) multiple frameworks in one platform.

Learn More

CMMC Certification FAQ

Have basic questions about CMMC compliance? This CMMC frequently asked questions section is a great place to start.

Learn More

Understanding CMMC Certification Levels

There are three levels of CMMC certification. The Department of Defense will list certification level requirements in all RFIs and RFPs.

Learn More

Understanding CMMC Domains

There are 17 core domains at the heart of CMMC certification. Domains are introduced at Level 1 and related practices help mature your program as the levels increase.

Learn More

Understanding CMMC Capabilities

There are 43 CMMC capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities for the three levels.

Learn More

Understanding CMMC Processes and Practices

CMMC certification levels 2-5 assess your organization’s cybersecurity process maturity so you can create consistent, repeatable, high-quality processes.

Learn More

Crosswalking Your CMMC Program

Learn how you can manage your CMMC certification and crosswalk it with other frameworks your organization follows.

Learn More
What is CMMC?
Managing Compliance
CMMC Certified
What is CMMC?

What is Cybersecurity Maturity Model Certification?

Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).

The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. CMMC standards apply to contractors and subcontractors wanting to bid on DoD projects.

CMMC is an extension of the Controlled Unclassified Information (CUI) program, a program the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.

CUI standards are guided by a framework from the National Institute of Standards and Technology (NIST), NIST SP 800-171, which creates minimum standards for how organizations handle CUI information in non-federal information systems.

The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).

Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.

To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.

Managing Compliance
CMMC Implementation Dashboard

Manage Your CMMC Framework and Compliance with Apptega

You can find the CMMC framework in the Apptega cybersecurity and compliance management platform. With Apptega, you can easily identify which CMMC certification level is appropriate for your organization and use predefined controls to build your framework and conduct an initial readiness assessment.

Reach your CMMC compliance goals by using Apptega to:

  • Assess your current compliance level
  • Identify gaps in your existing program
  • Manage remediation tasks to mature your CMMC practices
  • Map NIST 800-171 and CMMC using Apptega's Harmony capability
  • Improve your CUI security practices
  • Produce key data needed for your System Security Report (SSP)
  • Produce key data needed for your Plan of Action and Milestones (POA&M) report
  • Simplify your CMMC certification process
  • Ensure CMMC compliance with minimal overhead
Get Demo
CMMC Certified

Does Your Organization Need to be CMMC-Certified?

If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified. 

If you’re unsure, answer the following questions:

  • Does your organization provide goods and services for DoD?
  • Are you a subcontractor for an organization that does direct business with DoD?
  • Is your organization expected to comply with DFARS 252-7012 and or NIST 800-171?
  • Is your current information security provider an approved CMMC independent assessor?
    If you answered yes to any of these, you may need a CMMC certification. 

It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher) based on your relationship. Likewise, if you use contractors or subcontractors related to a DoD contract, those contractors and subcontractors should also be CMMC certified. Also, even if your organization doesn’t access CUI, but you have access to FCI, you should be CMMC-certified.

DoD contractors must be certified at least at CMMC Level 1; however, more advanced cybersecurity measures may be required based on the nature of your organization and contractual agreement. We’ll go into more detail in another section below, but the five core CMMC certification levels are Level 1: Perform, Level 2: Document, Level 3: Manage, Level 4: Review, and Level 5: Optimize.

CMMC 2.0 Compliance Guide

Because of the increasing number of cyber threats across all industries, and especially those emanating from foreign bad actors, the DoD’s Defense Industrial Base (DIB) is in the crosshairs for cyber attackers. 

Since 2018, DoD contractors and subcontractors have been expected to meet NIST 800-171 compliance standards and take steps to protect all non-classified protected information as part of the government’s Controlled Unclassified Information (CUI) program. While many organizations developed their own security practices to safeguard CUI, overall, there was no common framework for holding organizations accountable. For this reason, the government released CMMC v1.0 in early 2020.

Drawing on NIST 800-171, the CMMC standards also pull from other frameworks best practices including NIST 800-53ISO 27031, and ISO 27032. Together, they encompass a unified set of security standards that cover 17 domains from access control to system and information integrity.

Contractors wanting to bid on or renew a contract with the DoD must become CMMC-certified. There are five CMMC certification levels that range from basic to mature cybersecurity practices. Level 1, for example, includes only the first 17 sets of controls that cover basic cyber hygiene, while Level 5 encompasses all 171 controls and is the highest level of CMMC certification.

In this CMMC compliance guide, you’ll learn more about:

  • All 5 CMMC certification levels
  • Who needs CMMC certification
  • How to prepare for a CMMC assessment
  • CMMC compliance challenges
  • Using Apptega for your CMMC framework
  • References for additional CMMC support

CMMC Video Demo

CMMC requirements are expected to be included in all Requests for Information (RFIs) and Requests for Proposals (RFPs) from the Department of Defense for new contracts and renewals in 2020, so now is the time to build your CMMC framework to ensure you’ll ace that audit when it’s time to get your certification. Apptega can help. Apptega can help you effectively manage and report on your CMMC compliance.

CMMC Certification Dashboard

In this on-demand video, you can learn more about how Apptega can help you:

  • Map your CMMC framework to NIST 800-171
  • Assess your CMMC readiness 
  • Manage risk remediation and compliance gaps
  • Create reports on all security controls for your System Security Plan (SSP)
  • Document risk assessments 
  • Document corrective actions (plans and status) for your POA&M

CMMC Compliance Framework

CMMC Design Dashboard

Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC. 

Apptega key features:

  • More than 16 security frameworks
  • Questionnaire-based assessments
  • One-click reporting
  • Real-time compliance scoring
  • Auditor viewing options
  • Policy and plan templates
  • Task Packs and automated task management
  • Assessments based on an easy-to-use questionnaire format

What Our Customers Are Saying

pete headshot
Dr. Pete Dowdy
Senior Director, Information Security, Envistacom

"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."

Thad Wellin Headshot
Thad Wellin
CMMC Lead, SecureStrux

"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Understanding the Five Levels of CMMC Certification

The Cybersecurity Maturity Model Certification consists of 171 practices spanning five CMMC certification levels. Level 1, Perform, is the lowest CMMC level and covers basic cyber hygiene practices. Levels 2-5 are designed to mature your cybersecurity practices ranging from implementation of immediate cyber hygiene to advanced and progressive practices.

Levels of CMMC Certification

All CMMC levels, processes, and practices are cumulative beginning at Level 1. DoD will list CMMC level requirements in each RFI and RFP.

In the CMMC Compliance Domains and CMMC Capabilities sections below, we’ll take a deeper dive into the practices and processes related to each level. Before we do, we've provided a high level overview in the CMMC Certification Levels section below. 

CMMC Certification Levels

Level 1
Level 2
Level 3
Level 4
Level 5
Level 1

CMMC Certification Level 1: Perform

  • Practice: Basic Cyber Hygiene
  • Focus: Safeguard FCI
  • Number of Practices Introduced: 17

At the Perform level, your organization must perform the specific practices outlined. Process maturity is not assessed at Level 1, so it’s possible your organization may take an ad-hoc approach to these processes, including documentation. Practices in Level 1 focus on protecting federal contract information (FCI) and are related to basic safeguarding for covered contractor information systems.

Level 2

CMMC Certification Level 2: Document

  • Practice: Intermediate Cyber Hygiene 
  • Focus: Transition step in cybersecurity maturity progression for CUI protection
  • Number of Practices Introduced: 55

Unlike Level 1, the Document-level assesses maturity and requires that your organization creates and documents practices and policies related to CMMC. Your processes must be repeatable and in practice. Level 2 is a transitional stage from Level 1 to Level 3 and it’s designed to help your organization mature your program. It includes a subset of NIST 800-171 requirements and other practices as well as some security practices to protect CUI.

Level 3

CMMC Certification Level 3: Manage

  • Practice: Good Cyber Hygiene
  • Focus: Protect CUI
  • Number of Practices Introduced: 58

The Manage level requires your organization to create, maintain, and resource a plan outlining how you manage activities related to CMMC implementation including your goals, program mission, plans, resource information, training requirements, and which key stakeholders are involved with your CMMC program. Level 3 focuses on CUI protection, including standards from NIST 800-171 and other practices.

Level 4

CMMC Certification Level 4: Review

  • Practice: Proactive
  • Focus: Protect CUI and reduce the risk of APTs
  • Number of Practices Introduced: 26

At the Review level, your organization must review and measure your practice effectiveness and be able to take corrective steps as needed, including informing higher-level management of your CMMC status and related issues. Like Level 3, Level 4 focuses on protecting CUI but goes deeper with a focus on advance persistent threats (APTs). It includes standards from NIST 800-171B[6] and other practices. The goal is to help you better detect and respond to APT techniques, tactics, and procedures.

Level 5

CMMC Certification Level 5: Optimize

  • Practice: Advanced/Progressive
  • Focus: Protect CUI and reduce the risk of APTs
  • Number of Practices Introduced: 15

The Optimize level is the highest CMMC certification level. As part of Level 5 compliance, your organization must be able to standardize your security processes and optimize those processes for your entire organization. Level 5 focuses on protecting CUI and maturing your program’s depth and levels of sophistication.

CMMC Domains & Capabilities

Overview of 17 CMMC Domains and 43 CMMC Capabilities

At the heart of CMMC compliance are 17 core domains. Domains include security practices that encompass standards related to:

  • Federal Information Processing Standards (FIPS) Publication 200[12]
  • Security requirements from NIST 800-171[4]
  • Asset management
  • Recovery
  • Situational awareness

There are 43 total capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities (practices) spanning the five CMMC certification levels. We've listed each of the 17 CMMC domains, along with the capabilities that support each below. 

1. Access Control

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data to authorized users and processes

2. Asset Management 

  • Identify and document assets
  • Manage asset inventory

3. Audit and Accountability 

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

4. Awareness and Training

  • Conduct security awareness activities
  • Conduct training

5. Configuration Management 

  • Establish configuration baselines
  • Perform configuration and change management

6. Identification and Authentication

  • Grant access to authenticated entities

7. Incident Response

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post-incident reviews
  • Test incident response

8. Maintenance

  • Manage maintenance

9. Media Protection

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

10. Personnel Security

  • Screen personnel
  • Protect CUI during personnel activities

11. Physical Protection

  • Limit physical access

12. Recovery

  • Manage backups
  • Manage information security continuity

13. Risk Management

  • Identify and evaluate risk
  • Manage risk
  • Manage supply chain risk

14. Security Assessment

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

15. Situational Awareness

  • Implement threat monitoring

16. Systems and Communications Protection

  • Define security requirements for systems and communications
  • Control communications at system boundaries

17. System and Information Integrity

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

Understanding Cybersecurity Maturity Model Certification Processes and Practices

CMMC certification levels 2-5 assess your cybersecurity process maturity. The objective is that if you embed these security processes within your organization, then it’s increasingly likely your team will accurately perform these activities consistently and in a repeatable, high-quality manner.Each CMMC domain and process has an extensive list of related practices, which are dependent on the CMMC certification level you need to obtain. For a complete list of these practices, check out the DoD’s CMMC guide for version 1.02.Here’s a list of CMMC processes as they’re related to each level:

Level 1

Maturity Level: Performed
There are no maturity processes for Level 1. You must perform Level 1 practices, but you don't have to meet process requirements.

Level 4

Maturity Level: Reviewed
Review and measure [related CMMC domain name] activities for effectiveness.

Level 2

Maturity Level: Documented
Establish a policy that includes [related CMMC domain name]. Document CMMC practices use to implement [related CMMC domain name] policy.

Level 5

Maturity Level: Optimizing
Standardize and optimize a documented approach for [related CMMC domain name] across all of your applicable organizational units.

Level 3

Maturity Level: Managed
Establish, maintain, and resource a plan that includes [related CMMC domain name].

Understanding NIST 800-171
& CMMC Certification

While DoD contractors and subcontractors have been expected to meet NIST 800-171 standards since at least 2018, self-attestation methods for compliance have varied from organization to organization. That’s why DoD implemented CMMC in 2020 with the goal of creating a verification method for compliance to compete for RFIs and RFPs.

CMMC compliance is not the same as NIST 800-171 compliance, but the two frameworks are complementary. The core difference is NIST 800-171 also includes non-federal organization (NFO) controls that aren’t part of CMMC. NIST 800-171, which was created in 2003, establishes a minimum set of standards that guide how organizations should safeguard CUI in non-federal information systems.

CMMC Levels 1, 2, and 3 draws on the 110 security requirements outlined in NIST 800-171 and also draw on best practices from other standards, including NIST 800-53, as well as Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 Critical Security Controls for Effective Capability in Cyber Defense, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Preparing for CMMC Certification

To assist DoD contractors seeking CMMC certification, an independent, nonprofit organization, CMMC Accreditation Body (CMMC-AB), was created in early 2020. 

CMMC Marketplace in CyberXchange

CMMC-AB oversees consultants and organizations certified to provide assistance for CMMC certification preparation. These assistants are either Registered Practitioners (RPs) or Registered Provider Organizations (RPOs):

  • A Registered Practitioner (RP) provides assistance services to DoD contractors, conducts readiness assessments, and helps organizations prepare for the certification process. RPs can’t conduct CMMC certification assessments.
  • A Registered Provider Organization (RPO) is familiar with the basics of CMMC standards and provides consulting services to DoD contractors. These services help DoD contractors with readiness assessments and certification preparation. RPO designation indicates the organization agrees to the CMMC-AB Code of Professional Conduct. An RPO must have at least one RP on staff.

CMMC-AB also oversees individuals and organizations certified to conduct CMMC certification assessments. These assessors are either Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs): 

  • A Certified Assessor (CA) has completed the background, training, and examination requirements outlined by CMMC-AB (at one of three levels) and have a CMMC certification. Assessors are not CMMC-AB employees.
  • A Certified Third-Party Assessment Organization (C3PAO) is an organization approved to conduct CMMC certification assessments for DoD contractors and provide consultative advice.

You can find a list of assessors in the CMMC Marketplace.

Tips to Prepare for CMMC Certification Assessment

CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. There are no self-assessments for CMMC certification, however, you are encouraged to complete a self-assessment before you set an appointment for your formal CMMC assessment

CMMC Assessments

Here are a few quick tips to help you prepare for your CMMC assessment:

  • Understand which CMMC level applies to your organization. Your level of CUI access may help you make this determination.
  • Explore your existing cybersecurity practices to identify where your existing practices align with CMMC and where you have gaps
  • Make a plan to remediate those gaps
  • Do an internal audit (self-assessment or with the assistance of an RPO) on your degree of compliance with CMMC
  • Connect with a CMMC assessor from the CMMC Marketplace to schedule your assessment

CMMC Marketplace

CMMC Marketplace

Searching for guidance, assistance or tools as you prepare for CMMC certification?

The CMMC Marketplace in CyberXchange is mapped to all the controls defined in each of the CMMC Levels. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

CMMC & NIST 800-171 In Action

Cape Henry

Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.

“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” Ed Myers, Cape Henry Compliance Director

CMMC Preparation Study Whitepaper

CMMC Prep Study Cover

Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.

This report examines:

  • CMMC perspectives
  • Current NIST 800-171 compliance status
  • Approach and scope of CMMC preparation
  • Cost estimates

Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.

CMMC Blogs

CMMC Assessments Made Easy

NEW! Don't Delay CMMC: Get Started With a CMMC Self-Assessment Now

The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.

Read More
CMMC Certification Requirement

CMMC Certification Required for Government Contractors and Subcontractors

CMMC certification sets five core levels for compliance. Every DoD contractor and subcontractor should meet at least Level 1, which covers basic hygiene and will likely be applicable to many smaller contractors. Larger, more sophisticated projects will likely require higher certification levels, like Levels 4 and 5, which demonstrate highly-matured and well-documented cybersecurity practices to protect CUI. But what happens for mid-sized contractors? How do you know which certification level is right for the contract you’re interested in? Check out this blog to explore some of the benefits and risks related to CMMC.

Read More
Apptega Adds CMMC

Microsoft GCC or GCC High for CMMC and DFARS Compliance?

Are you evaluating a move to Microsoft GCC or GCC High as you prepare for CMMC? Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for certification. You can even use it to map your existing NIST 800-171 practices to your CMMC certification goals. This new standard may affect more than 300,000 organizations, so if you’re one of them, you’ll want to have access to great tools that can help you develop your framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time. Check out this post to learn more about how Apptega can help you be confident in your CMMC compliance strategies and have clear insight into how you’re doing at any time.

Read More

CMMC Webinars

Preparing for CMMC Webinar

Preparing for CMMC Certification

Are you preparing for CMMC certification? Trying to determine your CMMC readiness and next steps? If you have questions and are seeking guidance, you’re not alone. Watch our recorded webinar now to hear the latest updates and recommendations from CMMC-AB and SecureStrux.

Watch Now
NIST 800-171 & CMMC Minimize Risk

NIST SP 800-171 and CMMC: Minimize Your Risk of Losing Business Opportunities

If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.

Watch Now

Apptega Product Highlights

CMMC Compliance Made Easy With Apptega

As with any compliance standards, organizations inherently face a number of challenges when adopting a new cybersecurity framework and working toward demonstrating compliance. Apptega’s cybersecurity and compliance management platform can help you create your CMMC certification framework, get instant insight into where you are right now in meeting your CMMC compliance goals, and help you identify and remediate gaps before you undergo a formal CMMC certification assessment. 

Here are some other ways Apptega can help you simplify and manage your CMMC compliance:

  • Select from an ever-growing library of cybersecurity frameworks or create your own with configurable controls
  • Quickly complete questionnaire-based assessments and use Autoscoring to pinpoint program gaps
  • Eliminate overhead and redundancy by consolidating frameworks in one platform
  • Access real-time scoring, task management, calendar events, collaboration, budgets and vendor management all in the Apptega solution
  • Build, manage, and report on all your cybersecurity process easily through a series of apps representing important controls within your program
  • Monitor specific controls and policies at a granular level
  • Access an easy-to-understand dashboard to quickly identify gaps and improve your security posture
  • Access preset checklists and already created policy and plan templates
  • Create audit-ready compliance reports and produce the data needed for your System Security Plan (SSP) and your Plan of Action and Milestones (POA&M) documents.
  • Rely on certified cybersecurity professionals for assistance and support

Trusted by Companies of All Sizes

International Auto Logistics Logo
Aadya Security
Imprivata logo
Countertrade logo
IJM Logo
Cape Henry Logo

Frequently Asked Questions about CMMC (FAQs)

What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification, also known as CMMC, is a set of security standards designed to guide how organizations handle and protect controlled unclassified information (CUI) and federal contract information (FCI). It was created by the U.S. government and applies to Department of Defense (DoD) contractors and subcontractors wanting to bid on or renew DoD contracts. Organizations must meet at least Level 1 compliance, with progressively more detailed and mature requirements based on more complicated contract requirements and access to CUI. CMMC assessments for certification are conducted by accredited auditors and certifications last three years. DoD released CMMC version 1.0 in January 2020 and version 1.02 in March 2020.
Who guides CMMC?
The Department of Defense guides CMMC. Additionally, an independent, nonprofit organization known as the CMMC Accreditation Body, created in early 2020, establishes and oversees assessors that conduct assessments to participating organizations using a set of best practices within the Cybersecurity Maturity Model Certification (CMMC) program. In support of DoD contractors seeking certification, CMMC-AB established accreditation processes for Registered Practitioners (RPs), Registered Provider Organizations (RPOs), Certified Assessors (CAs), and Certified Third-Party Assessment Organizations (C3PAOs).
What is a CMMC Organization Seeking Certification (OSC)?
A CMMC Organization Seeking Certification (OSC) is generally a DoD contractor undergoing a CMMC assessment certification process for a formal certification.
What is a CMMC Registered Practitioner (RP)?
A CMMC Registered Practitioner (RP) provides assistance to DoD contractors, conducts readiness assessments, and helps organizations prepare for CMMC certification. RPs do not conduct CMMC certification assessments.
What is a CMMC Registered Provider Organization (RPO)?
A CMMC Registered Provider Organization (RPO) is an organization authorized to provide consulting services to help organizations prepare for CMMC certification. These services are intended to assist DoD contractors with readiness assessments and prepare for certification. The RPO designation indicates the RPO has agreed to the CMMC-AB Code of Professional Conduct. An RPO must have at least one Registered Provider on staff.
What is a CMMC Certified Assessor (CA)?
A CMMC certified assessor is a person who has completed the background, training, and examination requirements outlined by the CMMC-AB (at one of three levels) and who is certified. Assessors are independent of CMMC-AB.
What is a Certified Third-Party Assessment Organization (C3PAO)?
A certified third-party assessment organization (C3PAO) is an organization certified to conduct CMMC certification assessments for DoD contractors and provide consultative advice.
Why is CMMC needed?
CMMC is needed to help unify standards for DoD contractors and subcontractors. DoD contractors and subcontractors have been required to adhere to NIST 800-171 standards since 2018; however, previously there was not a unified set of standards to ensure organizations met those requirements. To unify accountability, the government created the Cybersecurity Maturity Model Certification (CMMC) program with the intent to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. CMMC, which consists of 17 domains covering everything from basic cyber hygiene to advanced practices, outlines requirements for how organizations should handle and protect CUI.
What does it mean to be CMMC certified?
To become CMMC certified, your organization must successfully complete an assessment by an accredited third-party assessment organization or independent accredited assessor based on requirements for the CMMC certification level you are required to meet. DoD will specify CMMC requirement levels in RFIs and RFPs. CMMC certifications are valid for three years. The results of your CMMC assessment are not released to the public, nor is your CMMC certification level.
Who is subject to CMMC compliance?
Contractors and subcontractors bidding on new contracts or contract renewals are subject to CMMC compliance. If you work with contractors and/or subcontractors for related DoD contract work, those contractors and subcontractors must also be CMMC-certified.
What happens if you are not CMMC-certified?
If your organization is not certified at the CMMC level outlined in the RFI or RFP by the time of contract award, you will be disqualified from participating in that contract.
What is a cybersecurity maturity assessment?
A cybersecurity maturity assessment is an assessment of your organization’s cybersecurity processes to determine how well your organization can protect your assets and data from cyber threats.
What are the five levels of CMMC certification?
The five levels of CMMC certification begin with Level 1: Perform, the least mature set of standards, and progress to Level 2: Document, Level 3: Manage, Level 4: Review, Level 5 Optimize. The Department of Defense will include certification level requirements in requests for information (RFIs) and requests for proposals (RFPs).
What is CUI?
CUI stands for controlled unclassified information. CUI encompasses protected but unclassified information that requires additional safeguarding, security, and dissemination controls.
What is a CMMC domain?
A CMMC domain is part of the Cybersecurity Maturity Model Certification (CMMC) program. There are 17 domains. These domains draw on best practices of NIST 800-171, the Federal Information Processing Standards (FIPS) Publication 200 [12], as well as asset management, recovery, and situational awareness.
What is a CMMC capability?
CMMC capabilities are part of a set of processes that span each of the 17 CMMC domains.
How many CMMC practices are there?
There are 171 CMMC practices across the 17 CMMC domains. Seventeen practices are introduced at Level 1, 55 at Level 2, 58 at Level 3, 26 at Level 4, and 15 at Level 5.
What is the most current version of CMMC?
The most current version of CMMC is version 1.02, which was released in March 2020.
How long does a CMMC certification last?
Generally, your Cybersecurity Maturity Model certificate will last three years.
Is there a CMMC compliance framework?
Yes. There is a CMMC compliance framework and it is available in the Apptega cybersecurity and compliance management platform. With the platform, you can map the CMMC framework to other frameworks, such as NIST 800-171.
How is CMMC related to NIST 800-171?
CMMC certification is related to NIST 800-171 because it draws on many best practices outlined by NIST 800-171; however, certification processes for the two are not the same and being compliant for one does not guarantee that you are compliant for the other.
Is CMMC certification the same as NIST 800-171 compliance?
No. CMMC certification and NIST 800-171 compliance are not the same. However, the two frameworks are complementary and you can map your CMMC framework to NIST 800-171. CMMC draws on many standards outlined by NIST 800-171, but NIST 800-171 also includes non-federal organization (NFO) controls.
How can I access the CMMC Marketplace?

You can access the CMMC Marketplace by going to https://cyberxchange.apptega.com/framework/cmmc-level-3. There you can quickly find the ideal services and products to help with CMMC preparation, including consultants with proven expertise in your specific compliance gaps.