CMMC 2.0

Learn about the Cybersecurity Maturity Model Certification (CMMC) 2.0 and explore its practices.

  • Purpose

    CMMC is a DoD certification and compliance program that will apply to DoD contractors.

  • NIST 800-171

    CMMC leverages NIST 800-171's 110 security requirements which define the safeguarding requirements for controlled unclassified information (CUI) on nonfederal systems.

  • 3 CMMC Levels

    CMMC includes 3 levels. Level 1 includes 17 practices, level 2 includes 110 practices, and level 3 will include additional practices from NIST 800-172's enhanced security requirements.

  • CyberAB

    The CyberAB (formerly known as the CMMC Accreditation Body) is responsible for authorizing and accrediting CMMC Third-Party Assessment Organizations (C3PAOs). C3PAOs are 3rd-party assessors who conduct CMMC assessments of companies within the Defense Industrial Base (DIB).

  • Certification

    The majority of CMMC level 2 contracts will require a 3rd-party assessment by a C3PAO. All CMMC level 3 contracts will require a government conducted assessment. Successful assessments will result in certification.

  • Compliance

    All CMMC level 1 contracts will require self-assessments. Compliance will be achieved after the self-assessment has been completed and the results have been entered into the Supplier Performance Risk System (SPRS) website.

NIST 800-171 / CMMC Training
Available Now!

NIST 800-171 r2

Learn about NIST 800-171 and explore its 110 security requirements.

NIST 800-171A

Learn about NIST 800-171A and explore its assessment procedures.

What is the purpose of CMMC?

CMMC is a certification program that provides the DoD more assurance that the Defense Industrial Base (DIB) is protecting its controlled unclassified information (CUI) in accordance with the security requirements of NIST 800-171.

Why do I need to implement CMMC?

CMMC will be required in nearly ALL DoD contracts. If you haven't implemented CMMC, you won't be able to support the DoD.

How can I find training on CMMC?

We offer affordable CMMC online training here: CMMC Overview Training for Small and Medium Businesses (SMBs)

What level of CMMC do I need?

The level of CMMC required depends on the information your contracts involve, and the priority of your contracts.

  • CMMC level 1 is required for contracts that involve federal contract information (FCI).
  • CMMC level 2 is required for contracts that involve controlled unclassified information (CUI).
  • CMMC level 3 is required for DoD's highest priority contracts that involve CUI.
Can I self-assess for CMMC?

Self-assessments are required for CMMC level 1.

A small number of CMMC level 2 contracts will allow for self-assessments, but it is anticipated that most will require a 3rd-party assessment.

Where can I find a list of the CMMC controls?

We have published the CMMC controls here: CMMC 2.0 Controls

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!