CMMC is a DoD certification and compliance program that will apply to DoD contractors.
CMMC leverages NIST 800-171's 110 security requirements which define the safeguarding requirements for controlled unclassified information (CUI) on nonfederal systems.
3 CMMC Levels
CMMC includes 3 levels. Level 1 includes 15 requirements, level 2 includes 110 requirements, and level 3 will include 24 additional requirements from NIST 800-172's enhanced security requirements.
The CyberAB (formerly known as the CMMC Accreditation Body) is responsible for authorizing and accrediting CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs are 3rd-party assessors who conduct CMMC assessments of companies within the Defense Industrial Base (DIB).
The majority of CMMC level 2 contracts will require a 3rd-party assessment by a C3PAO. All CMMC level 3 contracts will require a government conducted assessment. Successful assessments will result in certification.
All CMMC level 1 contracts will require self-assessments. Compliance will be achieved after the self-assessment has been completed and the results have been entered into the Supplier Performance Risk System (SPRS) website.
NIST 800-171 r2
Learn about NIST 800-171 and explore its 110 security requirements.
Learn about NIST 800-171A and explore its assessment procedures.
CMMC is a certification program that provides the DoD more assurance that the Defense Industrial Base (DIB) is protecting its controlled unclassified information (CUI) in accordance with the security requirements of NIST 800-171.