How to Prepare for CMMC 2.0 Assessment and Certification
The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC 2.0 applies to DoD contractors and subcontractors.
DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020. Version 1.02 was released in March. It is not retroactive for existing contractors; however, if your organization wants to bid on new contracts or renew an existing contract, you must be CMMC-certified.
In November 2021, the organization released CMMC model version 2.0 that consolidated the original 5 certification levels into 3 certification levels.
In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.
Cybersecurity Maturity Model Certification is a set of standards designed to help organizations protect CUI and FCI when engaging in DoD contracts.
Learn MoreWhen CMMC 2.0 rulemaking is finalized, the new framework will be added to Apptega’s compliance management platform.
Learn MoreAll contractors and subcontractors bidding on or renewing contracts with the Department of Defense should be CMMC-certified at least at Level 1 or higher.
Learn MoreCMMC 2.0 streamlines the CMMC model, decreasing the number of certification levels in CMMC 1.0 from five to three in version 2.0.
In addition to a streamlined model and requirements, there are several other important changes in the new version.
Although key 2.0 changes have been announced, the current rulemaking process could take an additional nine to 24 months.
While NIST 800-171 and CMMC certification are not the same, they are complementary, and you can map your CMMC and NIST 800-171 frameworks to each other.
Learn MoreThink your organization is ready to complete an accredited CMMC assessment? Here’s a look at how assessments work and who does them.
Learn MoreIn 2020, DoD established the CMMC-AB to help certify assessors to complete DoD-approved third-party assessments.
Need help finding CMMC tools, resources, or services that meet your organization’s specific needs? Check out CyberXchange.
Learn MoreLearn how one of our clients uses Apptega to help manage NIST and CMMC compliance and hear about its compliance success.
Need help preparing for CMMC? Check out this white paper with insights from real DoD contractors and subcontractors.
Curious about how to begin your Cybersecurity Maturity Model Certification journey? Check out these CMMC-related blogs for ideas and support.
Learn MoreWant to learn more about how to align your NIST 800-171 practices with your CMMC certification journey? Check out this webinar.
Learn MoreSee how you can develop and manage your CMMC framework with ease in Apptega. You can even use Apptega to manage (and crosswalk) multiple frameworks in one platform.
Learn MoreHave basic questions about CMMC compliance? This CMMC frequently asked questions section is a great place to start.
Learn MoreThere are three levels of CMMC certification. The Department of Defense will list certification level requirements in all RFIs and RFPs.
Learn MoreThere are 17 core domains at the heart of CMMC certification. Domains are introduced at Level 1 and related practices help mature your program as the levels increase.
Learn MoreThere are 43 CMMC capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities for the three levels.
Learn MoreCMMC certification levels 2-5 assess your organization’s cybersecurity process maturity so you can create consistent, repeatable, high-quality processes.
Learn MoreLearn how you can manage your CMMC certification and crosswalk it with other frameworks your organization follows.
Learn MoreCreated by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. CMMC standards apply to contractors and subcontractors wanting to bid on DoD projects.
CMMC is an extension of the Controlled Unclassified Information (CUI) program, a program the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
CUI standards are guided by a framework from the National Institute of Standards and Technology (NIST), NIST SP 800-171, which creates minimum standards for how organizations handle CUI information in non-federal information systems.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework in the Apptega cybersecurity and compliance management platform. With Apptega, you can easily identify which CMMC certification level is appropriate for your organization and use predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher) based on your relationship. Likewise, if you use contractors or subcontractors related to a DoD contract, those contractors and subcontractors should also be CMMC certified. Also, even if your organization doesn’t access CUI, but you have access to FCI, you should be CMMC-certified.
DoD contractors must be certified at least at CMMC Level 1; however, more advanced cybersecurity measures may be required based on the nature of your organization and contractual agreement. We’ll go into more detail in another section below, but the five core CMMC certification levels are Level 1: Perform, Level 2: Document, Level 3: Manage, Level 4: Review, and Level 5: Optimize.
Because of the increasing number of cyber threats across all industries, and especially those emanating from foreign bad actors, the DoD’s Defense Industrial Base (DIB) is in the crosshairs for cyber attackers.
Since 2018, DoD contractors and subcontractors have been expected to meet NIST 800-171 compliance standards and take steps to protect all non-classified protected information as part of the government’s Controlled Unclassified Information (CUI) program. While many organizations developed their own security practices to safeguard CUI, overall, there was no common framework for holding organizations accountable. For this reason, the government released CMMC v1.0 in early 2020.
Drawing on NIST 800-171, the CMMC standards also pull from other frameworks best practices including NIST 800-53, ISO 27031, and ISO 27032. Together, they encompass a unified set of security standards that cover 17 domains from access control to system and information integrity.
Contractors wanting to bid on or renew a contract with the DoD must become CMMC-certified. There are five CMMC certification levels that range from basic to mature cybersecurity practices. Level 1, for example, includes only the first 17 sets of controls that cover basic cyber hygiene, while Level 5 encompasses all 171 controls and is the highest level of CMMC certification.
In this CMMC compliance guide, you’ll learn more about:
CMMC requirements are expected to be included in all Requests for Information (RFIs) and Requests for Proposals (RFPs) from the Department of Defense for new contracts and renewals in 2020, so now is the time to build your CMMC framework to ensure you’ll ace that audit when it’s time to get your certification. Apptega can help. Apptega can help you effectively manage and report on your CMMC compliance.
In this on-demand video, you can learn more about how Apptega can help you:
Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC.
Apptega key features:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
The Cybersecurity Maturity Model Certification consists of 171 practices spanning five CMMC certification levels. Level 1, Perform, is the lowest CMMC level and covers basic cyber hygiene practices. Levels 2-5 are designed to mature your cybersecurity practices ranging from implementation of immediate cyber hygiene to advanced and progressive practices.
All CMMC levels, processes, and practices are cumulative beginning at Level 1. DoD will list CMMC level requirements in each RFI and RFP.
In the CMMC Compliance Domains and CMMC Capabilities sections below, we’ll take a deeper dive into the practices and processes related to each level. Before we do, we've provided a high level overview in the CMMC Certification Levels section below.
At the Perform level, your organization must perform the specific practices outlined. Process maturity is not assessed at Level 1, so it’s possible your organization may take an ad-hoc approach to these processes, including documentation. Practices in Level 1 focus on protecting federal contract information (FCI) and are related to basic safeguarding for covered contractor information systems.
Unlike Level 1, the Document-level assesses maturity and requires that your organization creates and documents practices and policies related to CMMC. Your processes must be repeatable and in practice. Level 2 is a transitional stage from Level 1 to Level 3 and it’s designed to help your organization mature your program. It includes a subset of NIST 800-171 requirements and other practices as well as some security practices to protect CUI.
The Manage level requires your organization to create, maintain, and resource a plan outlining how you manage activities related to CMMC implementation including your goals, program mission, plans, resource information, training requirements, and which key stakeholders are involved with your CMMC program. Level 3 focuses on CUI protection, including standards from NIST 800-171 and other practices.
At the Review level, your organization must review and measure your practice effectiveness and be able to take corrective steps as needed, including informing higher-level management of your CMMC status and related issues. Like Level 3, Level 4 focuses on protecting CUI but goes deeper with a focus on advance persistent threats (APTs). It includes standards from NIST 800-171B[6] and other practices. The goal is to help you better detect and respond to APT techniques, tactics, and procedures.
The Optimize level is the highest CMMC certification level. As part of Level 5 compliance, your organization must be able to standardize your security processes and optimize those processes for your entire organization. Level 5 focuses on protecting CUI and maturing your program’s depth and levels of sophistication.
At the heart of CMMC compliance are 17 core domains. Domains include security practices that encompass standards related to:
There are 43 total capabilities directly related to each of the 17 CMMC domains. Every domain has a related set of processes and capabilities (practices) spanning the five CMMC certification levels. We've listed each of the 17 CMMC domains, along with the capabilities that support each below.
1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical Protection
12. Recovery
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity
CMMC certification levels 2-5 assess your cybersecurity process maturity. The objective is that if you embed these security processes within your organization, then it’s increasingly likely your team will accurately perform these activities consistently and in a repeatable, high-quality manner.Each CMMC domain and process has an extensive list of related practices, which are dependent on the CMMC certification level you need to obtain. For a complete list of these practices, check out the DoD’s CMMC guide for version 1.02.Here’s a list of CMMC processes as they’re related to each level:
Maturity Level: Performed
There are no maturity processes for Level 1. You must perform Level 1 practices, but you don't have to meet process requirements.
Maturity Level: Reviewed
Review and measure [related CMMC domain name] activities for effectiveness.
Maturity Level: Documented
Establish a policy that includes [related CMMC domain name]. Document CMMC practices use to implement [related CMMC domain name] policy.
Maturity Level: Optimizing
Standardize and optimize a documented approach for [related CMMC domain name] across all of your applicable organizational units.
Maturity Level: Managed
Establish, maintain, and resource a plan that includes [related CMMC domain name].
While DoD contractors and subcontractors have been expected to meet NIST 800-171 standards since at least 2018, self-attestation methods for compliance have varied from organization to organization. That’s why DoD implemented CMMC in 2020 with the goal of creating a verification method for compliance to compete for RFIs and RFPs.
CMMC compliance is not the same as NIST 800-171 compliance, but the two frameworks are complementary. The core difference is NIST 800-171 also includes non-federal organization (NFO) controls that aren’t part of CMMC. NIST 800-171, which was created in 2003, establishes a minimum set of standards that guide how organizations should safeguard CUI in non-federal information systems.
CMMC Levels 1, 2, and 3 draws on the 110 security requirements outlined in NIST 800-171 and also draw on best practices from other standards, including NIST 800-53, as well as Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 Critical Security Controls for Effective Capability in Cyber Defense, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
To assist DoD contractors seeking CMMC certification, an independent, nonprofit organization, CMMC Accreditation Body (CMMC-AB), was created in early 2020.
CMMC-AB oversees consultants and organizations certified to provide assistance for CMMC certification preparation. These assistants are either Registered Practitioners (RPs) or Registered Provider Organizations (RPOs):
CMMC-AB also oversees individuals and organizations certified to conduct CMMC certification assessments. These assessors are either Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs):
You can find a list of assessors in the CMMC Marketplace.
CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. There are no self-assessments for CMMC certification, however, you are encouraged to complete a self-assessment before you set an appointment for your formal CMMC assessment
Here are a few quick tips to help you prepare for your CMMC assessment:
Searching for guidance, assistance or tools as you prepare for CMMC certification?
The CMMC Marketplace in CyberXchange is mapped to all the controls defined in each of the CMMC Levels. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.
“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” — Ed Myers, Cape Henry Compliance Director
Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.
This report examines:
Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.
The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.
Read MoreCMMC certification sets five core levels for compliance. Every DoD contractor and subcontractor should meet at least Level 1, which covers basic hygiene and will likely be applicable to many smaller contractors. Larger, more sophisticated projects will likely require higher certification levels, like Levels 4 and 5, which demonstrate highly-matured and well-documented cybersecurity practices to protect CUI. But what happens for mid-sized contractors? How do you know which certification level is right for the contract you’re interested in? Check out this blog to explore some of the benefits and risks related to CMMC.
Read MoreAre you evaluating a move to Microsoft GCC or GCC High as you prepare for CMMC? Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for certification. You can even use it to map your existing NIST 800-171 practices to your CMMC certification goals. This new standard may affect more than 300,000 organizations, so if you’re one of them, you’ll want to have access to great tools that can help you develop your framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time. Check out this post to learn more about how Apptega can help you be confident in your CMMC compliance strategies and have clear insight into how you’re doing at any time.
Read MoreAre you preparing for CMMC certification? Trying to determine your CMMC readiness and next steps? If you have questions and are seeking guidance, you’re not alone. Watch our recorded webinar now to hear the latest updates and recommendations from CMMC-AB and SecureStrux.
Watch NowIf you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.
Watch NowAs with any compliance standards, organizations inherently face a number of challenges when adopting a new cybersecurity framework and working toward demonstrating compliance. Apptega’s cybersecurity and compliance management platform can help you create your CMMC certification framework, get instant insight into where you are right now in meeting your CMMC compliance goals, and help you identify and remediate gaps before you undergo a formal CMMC certification assessment.
Here are some other ways Apptega can help you simplify and manage your CMMC compliance:
You can access the CMMC Marketplace by going to https://cyberxchange.apptega.com/framework/cmmc-level-3. There you can quickly find the ideal services and products to help with CMMC preparation, including consultants with proven expertise in your specific compliance gaps.
©2022 All Rights Reserved. Apptega® is a registered trademark Apptega, Inc. | Privacy Policy