CMMC Overview
CMMC (Cybersecurity Maturity Model Certification) 2.0 framework is designed to ensure consistent cybersecurity standards among defense contractors and subcontractors handling Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI). It’s crucial to keep abreast of any updates or changes to these procedures by consulting relevant DoD or CMMC resources.
General Considerations:
- Documentation and Evidence: Regardless of the level, you should maintain comprehensive documentation and evidence of your cybersecurity practices and the assessment results. This documentation may include the System Security Plan (SSP), policies, procedures, and any corrective action plans.
- Continuous Compliance: After the certification, you must continue to monitor and maintain your cybersecurity practices to ensure ongoing compliance. This is essential since CMMC certifications are not just a one-time event but require continuous adherence to the prescribed cybersecurity practices.
- Regular Updates: Be aware of any changes or updates in the CMMC program or related DoD regulations. The CMMC ecosystem is evolving, and staying informed is crucial for maintaining compliance.
-
- Our CMMC Dashboard tool can help you prepare for Level 1 and 2, self-assessment or 3 rd party certification assessments to get you across the finish line.
CMMC Level 1 Self-Assessment: For Level 1, you must verify compliance by submitting an annual self-assessment into SPRS. The self-assessment for CMMC Level 1 will not have a score. Instead, the SPRS “score” entered for CMMC Level 1 must be a confirmation of “met.” This means that all requirements must be fully implemented and no Plan of Action and Milestones (POA&Ms) are allowed.
CMMC Level 2 Self-Assessment: For Level 2, the process involves a more detailed self-assessment against the 110 controls in NIST SP 800-171 Rev. - If the self- assessment does not yield a perfect score of 110, you may enter a Conditional status in SPRS as long as certain criteria are met (e.g., a minimum score, no POA&Ms for specific controls, and all open POA&Ms must be closed out within 180 days). In addition to the score or confirmation of compliance, you will need to provide an annual affirmation of continued compliance with the SPRS entry. This affirmation must be completed by a senior official within your organization. It’s important to ensure that all information provided in SPRS is accurate and up-to-date, as misrepresentations can have serious implications.
- Our CMMC Dashboard tool can help you prepare for Level 1 and 2, self-assessment or 3 rd party certification assessments to get you across the finish line.
CMMC Level 1 Certification with a C3PAO:
- Conduct the Assessment: The C3PAO will conduct an assessment of your compliance with the 17 practices required for CMMC Level 1.
- Submit Certification Results:
- Ensure that your organization maintains records of the certification, as this might be required for contract bids or audits.
CMMC Level 2 Certification with a C3PAO:
- Select a C3PAO: Similar to Level 1, start by selecting an accredited C3PAO.
- Conduct the Assessment: The C3PAO assesses your compliance with all 110 controls in NIST SP 800-171 Rev. 2.
- Submit Certification Results:
- For Level 2, once the assessment is completed, the C3PAO will enter the results into the CMMC Enterprise Mission Assurance Support Service (eMASS).
- eMASS is a DoD system used to manage the authorization process and to record the cybersecurity status of defense contractors.
- The information in eMASS will then automatically update the Supplier Performance Risk System (SPRS).
- POA&Ms (if applicable):
- If there are any Plan of Action and Milestones (POA&Ms) as a result of the assessment, they must be managed and closed out within the specified timeframe (180 days).
- The closure of POA&Ms and the updated compliance status should also be recorded accordingly, typically by the C3PAO in eMASS.