How to Prepare for CMMC 2.0 Assessment and Certification
The Cybersecurity Maturity Model Certification (CMMC) program is a set of standards all organizations must meet to bid on or renew contracts with the United States Department of Defense (DoD) contracts. CMMC applies to DoD contractors and subcontractors.
DoD released CMMC model version 1.0 in January 2020, with the anticipation it would appear in all requests for information (RFIs) in June 2020 and then in all requests for proposals (RFPs) by fall 2020, followed later that year by version 1.02. More recently, in November 2021, DoD released the most current version, CMMC 2.0.
In this CMMC fundamental page, we’ll walk you through some key points about the Cybersecurity Maturity Model Certification 2.0 program, including what it is, who needs CMMC certification, and steps you can take to build your CMMC framework and work toward CMMC certification.
Cybersecurity Maturity Model Certification is a set of standards designed to help organizations protect CUI and FCI when engaging in DoD contracts.Learn More
When CMMC 2.0 rulemaking is finalized, the new framework will be added to Apptega’s compliance management platform.Learn More
All contractors and subcontractors bidding on or renewing contracts with the Department of Defense should be CMMC-certified at least at Level 1 or higher.Learn More
CMMC 2.0 streamlines the CMMC model, decreasing the number of certification levels in CMMC 1.0 from five to three in version 2.0.Learn More
In addition to a streamlined model and requirements, there are several other important changes in the new version.Learn More
Although key 2.0 changes have been announced, the current rulemaking process could take an additional nine to 24 months.Learn More
While NIST 800-171 and CMMC certification are not the same, they are complementary, and you can map your CMMC and NIST 800-171 frameworks to each other.Learn More
Think your organization is ready to complete an accredited CMMC assessment? Here’s a look at how assessments work and who does them.Learn More
In 2020, DoD established the CMMC-AB to help certify assessors to complete DoD-approved third-party assessments.Learn More
Need help finding CMMC tools, resources, or services that meet your organization’s specific needs? Check out CyberXchange.Learn More
Learn how one of our clients uses Apptega to help manage NIST and CMMC compliance and hear about its compliance success.Learn More
Need help preparing for CMMC? Check out this white paper with insights from real DoD contractors and subcontractors.Learn More
Curious about how to begin your Cybersecurity Maturity Model Certification journey? Check out these CMMC-related blogs for ideas and support.Learn More
Want to learn more about how to align your NIST 800-171 practices with your CMMC certification journey? Check out this webinar.Learn More
See how you can develop and manage your CMMC framework with ease in Apptega. You can even use Apptega to manage (and crosswalk) multiple frameworks in one platform.Learn More
Have basic questions about CMMC compliance? This CMMC frequently asked questions section is a great place to start.Learn More
Created by the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) program establishes a set of standards organizations must meet to be eligible to bid on or renew contracts with the U.S. Department of Defense (DoD).
The DoD released the first version of the CMMC model on January 31, 2020, and version 1.02 in March 2020. In November 2021, DoD announced the program was getting a revamp and that a number of changes would be included in CMMC 2.0, thereby eliminating previous guidelines established in CMMC 1.0.
One of the biggest changes is that the new version streamlines the CMMC model down from five certification levels to three, which more closely align with NIST 800-171 and NIST 800-172, and creates minimum standards for how organizations handle CUI information in non-federal information systems.
Like the original CMMC, the new standards will apply to all contractors and subcontractors wanting to bid on or renew DoD projects, although in the interim, those requirements are not included in RFPs or RFIs.
At its heart, CMMC is an extension of the Controlled Unclassified Information (CUI) program, which the government created in 2010 to standardize how contractors and service providers handle non-classified, but protected government information.
The goal of CMMC is to protect CUI and to include CMMC as part of the Defense Federal Acquisition Regulation Supplement (DFARS) so it can be used as a part of contract awarding requirements. And, even if your organization doesn’t have CUI, but you have federal contract information (FCI), you are expected to adhere to FAR Clause 52.204-21 and be certified at CMMC Level 1 (at a minimum).
Although contractors and subcontractors have been subject to NIST 800-171 compliance since 2018, the industry lacked any standardization protocols to ensure they meet those requirements. As a result, many organizations created their own security practices to manage how they store, handle, and disseminate CUI.
To unify accountability, the government created CMMC for organizations involved in the bidding and renewal processes for DoD contracts.
You can find the CMMC framework based on version 1.0 in the Apptega cybersecurity and compliance management platform. When the framework for CMMC 2.0 is finalized, it will quickly be updated within the system. Once ready, Apptega can help you easily identify which CMMC certification level is appropriate for your organization and will guide you with predefined controls to build your framework and conduct an initial readiness assessment.
Reach your CMMC compliance goals by using Apptega to:
If your organization does business with the Department of Defense and you want to bid on or renew a DoD contract, you need to be CMMC-certified.
If you’re unsure, answer the following questions:
It’s important here to point out that if you’re a contractor or subcontractor who works directly with a DoD contractor, you should be CMMC-certified at least at Level 1 (or potentially higher).
When CMMC 2.0 rulemaking is finalized, those requirements will be included in new RFPs and RFIs. Likewise, if you use contractors or subcontractors related to an awarded DoD contract, those contractors and subcontractors should also be CMMC certified.
While we’re still waiting on the finalized details of CMMC 2.0, check out this video demo of how Apptega helped organizations with the initial 1.0 requirements. It’s a great way to see how Apptega can help you effectively manage and report on compliance.
In this on-demand video, you can learn more about how Apptega can help you:
Apptega can help you manage your Cybersecurity Maturity Model Certification framework and other cybersecurity frameworks all in one platform. Using Apptega Harmony, you can even crosswalk your frameworks, for example, NIST 800-171 and CMMC 2.0.
Apptega key features:
CMMC 1.0 included five certification levels, but version 2.0 streamlines requirements down to three. It also removes the previous maturity processes and CMMC unique security practices. The new levels closely align with the National Institute of Standards and Technology (NIST) cybersecurity standards.
There are 17 practices that enables an annual self-assessment for certification. This is for organizations with FCI only.
We anticipate DoD will soon release the CMMC 2.0 model for Levels 1 and 2, their assessment guides, and scoping guidance. Level 3 information will follow when it’s available. Check back for updates on this page as soon as they’re available.
In addition, to streamling the CMMC model and decreasing the number of certification levels, changes coming for CMMC 2.0 are likely to help reduce assessment costs for organizations. While some organizations that handle critical national security information at level 2 will need third-party assessments every three years, self-assessments can now be used to demonstrate compliance at level 1. That was not the case with CMMC 1.0. Also now in some cases, depending on CUI, self-assessments may be possible at level 2. Level 3, the highest level, will continue to require other assessments conducted by the government.
Another significant change between CMMC 1.0 and CMMC 2.0 is reflected in the implementation processes. In CMMC 1.0, organizations were expected to achieve contract-level certification requirements prior to a DoD contract award or renewal. However, with 2.0, organizations may be able to use Plans of Action & Milestones (POA&Ms) for certification.
There are a number of restrictions on these POA&Ms for certification. For example, they’re likely to be time-bound, possibly limited to no more than 180s days. And, while they may be permissible for some requirements, they will not be permitted for the highest weighted compliance requirements and will require a minimum score to achieve certification with the POA&M.
Finally, CMMC 2.0 will also include the opportunity for waivers for some very limited circumstances such as mission-critical incidents. These waivers, which will require senior DoD approval, will only be awarded on a case-by-case basis, and like the POA&M’s, will be time-bound.
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
In late 2020, DoD announced plans to review CMMC standards. As such, it released an interim rule to DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements. The rule paved the way for DoD to begin processes to change the CMMC program with a goal of building on the initial CMMC framework to further enhance the Defense Industrial Base (DIB) against evolving cybersecurity threats.
While the original framework was designed to protect CUI and FCI, it recognized there are evolving risks as the cybersecurity threat landscape changes, including advanced persistent threats (APTs). Proposed changes to the CMMC program are designed to help organizations better manage those risks, while ensuring CUI and FCI protections.
In March 2021, DoD initiated an internal CMM review. The review included evaluations of implementation and took into consideration some 850 comments received during a public comment period. The review and feedback helped DoD solidify five goals for the CMMC program:
There is a five-year phase-in period underway for CMMC 2.0.
While CMMC 2.0 goes through required rule-making processes, CMMC level information will not be included in DoD contracts.
Moving forward, DoD will be focused on completing mandatory rulemaking requirements for 32 CFR to establish the CMMC program, and 48 CFR to update contractual requirements in DFARS for program implementation.
The rulemaking process could take between nine to 24 months. There will also be a 60-day public comment period and concurrent congressional review during this process.
As DoD works to meet all of its rulemaking obligations, it will suspend its CMMC pilot program. DoD will also eliminate the requirements for mandatory CMMC certifications. However, once CMMC rulemaking is complete, organizations will be required to meet revised CMMC requirements as determined by the finalized regulations.
As this process continues, DoD is considering some incentives for organizations that voluntarily get a CMMC level 2 certification. The new level 2 is similar to level 3 in CMMC 1.0.
DoD also encourages all organizations in the DIB sector to continue efforts to enhance their cybersecurity posture during this time. Some organizations may find it helpful to conduct a self-assessment against NIST 800-171 to identify gaps and begin making plans to address them. DoD has also launched a website for Project Spectrum, which has an array of resources that can help organizations assess cyber readiness and improve security practices.
Until the rulemaking process is finished, CMMC participation is voluntary.
While DoD contractors and subcontractors have been expected to meet NIST 800-171 standards since at least 2018, self-attestation methods for compliance often varied from organization to organization. That’s why DoD implemented CMMC in 2020 with the goal of creating a verification method for compliance to compete for RFIs and RFPs.
CMMC compliance is not the same as NIST 800-171 compliance, but the two frameworks are complementary. The core difference is NIST 800-171 also includes non-federal organization (NFO) controls that aren’t part of CMMC. NIST 800-171, which was created in 2003, establishes a minimum set of standards that guide how organizations should safeguard CUI in non-federal information systems.
Tips for CMMC Assessment Preparation: CMMC assessment costs vary based on your CMMC certification level and other factors such as the complexity of the work you do and your contractual obligations. While CMMC 1.0 did not allow self-assessments for CMMC certification, CMMC 2.0 permits self-assessments for level 1 certification, and in some instances for level 2.
Regardless, if you’re planning a self-assessment for a certification or if you’re making sure you’re in a good place before you undergo a third-party or government-led certification assessment, here are a couple of tips to help you prepare:
To assist DoD contractors seeking CMMC certification, an independent, nonprofit organization, CMMC Accreditation Body (CMMC-AB), was created in early 2020.
CMMC-AB oversees a community of consultants and organizations certified to provide assistance for CMMC certification preparation. These assistants are either Registered Practitioners (RPs) or Registered Provider Organizations (RPOs):
CMMC-AB also oversees the individuals and organizations certified to conduct the actual CMMC certification assessments. These assessors fall are either Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs):
You can find a list of assessors in the CMMC Marketplace.
Searching for guidance, assistance or tools as you prepare for CMMC 2.0?
The CMMC Marketplace in CyberXchange is a great resource. If you know you have compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the NIST standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.
“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” — Ed Myers, Cape Henry Compliance Director
Download the CMMC Preparation Study to learn insights from Department of Defense prime contractors and subcontractors.
This white paper examines:
Additionally, this report provides correlations that serve as benchmarks to assist all contractors in the DIB with their plans for CMMC certification.
While CMMC 2.0 implementation dates are still ongoing and could change yet again, now is not the time for organizations to sit back and wait to see what happens next. Instead, if you believe you’re going to work with the DoD on these contracts, you may already be behind the eight ball if you haven’t started yet. So, what can you do? Here are 4 suggestions to help ensure you’re on the right track when phased implementation begins.Read More
The U.S. Department of Defense recommends prime contractors and subcontractors in the Defense Industrial Base prepare for CMMC requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments. Additionally, companies that are moving quickly to demonstrate CMMC compliance may have a competitive advantage over those that aren't. Learn how you can begin preparing and differentiating your organization today.Read More
Organizations of all sizes can use Apptega’s cybersecurity management platform to help implement and manage your CMMC program and prepare for self-assessment or third-party certification. You can even use it to map your existing NIST 800-171 or NIST 800-172 practices to your CMMC certification goals. Learn how Apptega helps organizations with access to tools to help develop a framework, instantly assess your readiness, identify gaps and weaknesses, and mature your program over time.Read More
Is your organization struggling to grasp where to start with its CMMC compliance strategy? Hear from Carter Schoenberg, CISSP/ CMMC-RP and Vice President of SoundWay Consulting Inc. and Armistead Whitney, CEO of Apptega, as they talk through a reasonable timeline and budget to conform with CMMC, what your actionable next steps should be, and reducing your exposure to a breach of contract with the DoD.Watch Now
If you’re already using NIST 800-171 as part of your overall cybersecurity practices—or you’re thinking of adopting it—there’s good news. You can align your NIST strategies with CMMC practices. Check out this on-demand webinar to learn more about: The relationship between NIST 800-171 and CMMC; How to become CMMC-certified; and Challenges for companies facing compliance standards.Watch Now
As with any compliance standards, organizations inherently face a number of challenges when adopting a new cybersecurity framework and working toward demonstrating compliance. Apptega’s cybersecurity and compliance management platform can help you create your CMMC certification framework, get instant insight into where you are right now in meeting your CMMC compliance goals, and help you identify and remediate gaps before you undergo a formal CMMC certification assessment.
Here are some other ways Apptega can help you simplify and manage your CMMC compliance: