Read our new eBook to learn how the new DoD Cybersecurity Maturity Model Certification (CMMC) requirement impacts DoD contractors.
The road to CMMC 2.0 compliance may seem long and difficult, but this guide makes it much less daunting by explaining each and every step contractors need to take in order to prepare for it, achieve it, and maintain it.
eBook Topics Include:
- What is CMMC 2.0?
- What are the CMMC Certification Levels?
- What is the difference between FCI and CUI?
- What is the difference between 800-171 and CMMC?
- What do contractors need to know about FAR and DFARS?
- CMMC Accreditation Body and Ecosystem
- How to prepare for a CMMC assessment?
- What does a third party CMMC assessment involve?
- How to ensure ongoing compliance?
Enter your email address to receive the eBook.
Download CMMC 2.0 Compliance eBook
In this eBook you will learn the following about CMMC 2.0:
- CMMC 2.0 overview
- Who CMMC 2.0 applies to and requirements
- How it impacts defense contractors
- CMMC 2.0 assessment preparation and process
- Certification process and ongoing compliance
“The new CMMC 2.0 framework is taking the defense industry by storm and there is a lot of confusion about what it involves and who it applies to. Our goal is to try to simplify all of the information on CMMC 2.0 into a clear and consolidated guide for DoD contractors.”
Excerpt From CMMC 2.0 eBook
The Cybersecurity Maturity Model Certification v2.0 is a new requirement for DoD contractors and subcontractors. It replaces the previous CMMC model and brings together cybersecurity requirements necessary to protect Federal Contract information (FCI) and Controlled Unclassified Information (CUI).
“Eventually, all DoD contractors and subcontractors that handle FCI or CUI will be required to meet CMMC requirements, documented either by third party assessment or self-assessment & attestation. ”
There are several major differences between CMMC 2.0 and CMMC 1.0:
- First, CMMC practices not directly taken from NIST SP 800-171 have been eliminated, at Level 2, this includes the 20 additional practices added to the 110 practices from NIST 800-171. The CMMC process maturity requirements (997/998/999) have also been removed.
- Second, only some contractors will be assessed by third-party entities (the so-called CMMC 3rd Party Assessor Organizations, or C3PAOs for short). CMMC 1.0 required all organizations to undergo a third-party assessment. CMMC 2.0 limits this to only those organizations that hold CUI data of a higher level of sensitivity. Organizations holding only FCI data, or CUI of lesser sensitivity, will now be required to conduct a self-assessment on an annual basis.
- Third, the five certification levels outlined in CMMC 1.0 have been reduced to only 3. Level 1, for organizations in possession of FCI, Level 2, for organizations in possession of CUI and Level 3, for organizations possessing prioritized CUI. Most likely, prioritized CUI will be restricted to CTI related to critical weapons systems and space or aerospace applications.
- Fourth, some open POAM items, with a limited remediation window, are now permitted. Controls that are assigned a 5-point weight in the existing SP 800-171A self-assessment process will likely be mandatory at assessment and not permitted in a POAM.
The first full version of the CMMC was published on the website of the Office of the Under Secretary of Defense for Acquisition & Sustainment in January 2020, and removed on November 4th, 2021, after an internal DOD review of the CMMC program concluded. Subsequently, CMMC 2.0 assessment guidelines and model documentation were posted to the OSD site in December 2021.