CMMC is a DoD certification and compliance program that will apply to DoD contractors.
CMMC leverages NIST 800-171's 110 security requirements which define the safeguarding requirements for controlled unclassified information (CUI) on nonfederal systems.
3 CMMC Levels
CMMC includes 3 levels. Level 1 includes 17 practices, level 2 includes 110 practices, and level 3 will include additional practices from NIST 800-172's enhanced security requirements.
The CyberAB (formerly known as the CMMC Accreditation Body) is responsible for authorizing and accrediting CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs are 3rd-party assessors who conduct CMMC assessments of companies within the Defense Industrial Base (DIB).
The majority of CMMC level 2 contracts will require a 3rd-party assessment by a C3PAO. All CMMC level 3 contracts will require a government conducted assessment. Successful assessments will result in certification.
All CMMC level 1 contracts will require self-assessments. Compliance will be achieved after the self-assessment has been completed and the results have been entered into the Supplier Performance Risk System (SPRS) website.
NIST 800-171 r2
Learn about NIST 800-171 and explore its 110 security requirements.
Learn about NIST 800-171A and explore its assessment procedures.
CMMC is a certification program that provides the DoD more assurance that the Defense Industrial Base (DIB) is protecting its controlled unclassified information (CUI) in accordance with the security requirements of NIST 800-171.
CMMC will be required in nearly ALL DoD contracts. If you haven't implemented CMMC, you won't be able to support the DoD.
We offer affordable CMMC online training here: CMMC Overview Training for Small and Medium Businesses (SMBs)
The level of CMMC required depends on the information your contracts involve, and the priority of your contracts.
- CMMC level 1 is required for contracts that involve federal contract information (FCI).
- CMMC level 2 is required for contracts that involve controlled unclassified information (CUI).
- CMMC level 3 is required for DoD's highest priority contracts that involve CUI.
Self-assessments are required for CMMC level 1.
A small number of CMMC level 2 contracts will allow for self-assessments, but it is anticipated that most will require a 3rd-party assessment.