CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program designed to ensure that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 Levels

• Level 1 (Foundational) - 15 basic safeguarding requirements (FAR 52.204-21)
• Level 2 (Advanced) - 110 requirements aligned with NIST SP 800-171
• Level 3 (Expert) - 110+ requirements including NIST SP 800-172

Assessment Types

• Self-Assessment - Level 1 and some Level 2 contracts
• Certification Assessment - Level 2 critical programs and Level 3
• C3PAO Assessment - Third-party assessor organization certification

Key Components

• Scoping - Defining CUI/FCI boundaries and asset categories
• System Security Plan (SSP) - Documenting security implementation
• POA&M - Plan of Action and Milestones for deficiencies
• Assessment - Evaluating control implementation
• Certification - Formal recognition of compliance

Implementation Approach

• Asset identification and categorization
• CUI flow mapping
• Security control implementation
• Evidence collection and documentation
• Self-assessment and gap remediation
• Preparation for third-party assessment