The DoD Contractor's Guide to CMMC Level 2

Cybersecurity Maturity Model Certification Logo

Cost-Effective NIST SP 800-171 and CMMC Solutions


Learn if your company is subject to NIST SP 800-171 or CMMC Level 2 requirements, obtain a gap analysis, and track your NIST SPRS score.
CyberSecure 360 Comprehensive Cyber Security Program
NIST SP 800-171 Compliance
CMMC Compliance
All-in-one compliance at a fraction of the cost of building your own cyber security program. Choose from five cost-effective packages of 23 services.
CyberSecure 360_Logo Suite 300dpi_Icon Blue

Contact us below for CMMC help specific to your company's needs.

The Need for the Cybersecurity Maturity Model Certification

In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board.

DFARS, NIST, and CMMC

While the U.S. government's initial approach to introducing fundamental security controls into the national defense supply chain called for compliance with NIST SP 800-171 through DFARS 252.204-7012, these measures weren't enough. The Cyber Security Model Certification (CMMC) was released in early 2020 to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a C3PAO, third party assessor. The CMMC certification process will begin as C3PAOs become available (est. late 2021). Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.

CMMC will replace NIST SP 800-171. As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation beginning November 30, 2020.

Free CMMC NIST 800 171 Tool Compliance Checklist
Find your NIST SPRS score with our free self-assessment tool.

Understanding CUI

There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include:

Many defense contractors also create, store or process general categories such as:

> Request our CMMC Level 2 Self-Assessment Tool for a complete list of CUI categories

CMMC Compliance Requirements

The CMMC framework features three levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors have or handle CUI and must become CMMC Level 2 certified by October 2025 to remain eligible for DoD contracts.

To prevent exclusion from contracts as CMMC is implemented, contractors must determine whether their organization is subject to CMMC requirements, assess their compliance against the requirements of the level they need, obtain a gap analysis, remediate those gaps in compliance, and be audited through a Certified Third-party Assessor Organization (C3PAO) certification assessment.

* InfoDefense is a C3PAO candidate.

Level 1

FOUNDATIONAL

17 Cybersecurity Practices

  • See Level 1 Self-Assessment Guide
  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 2

ADVANCED

110 Cybersecurity Practices

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 110 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 3

EXPERT

130 Cybersecurity Practices

  • Applies to companies requiring increased protection of CUI and protection against advanced persistent threats (APTs) through increased depth and sophistication of security capabilities
  • 130 Cybersecurity Practices
  • Companies must perform, document, manage, review, standardize and optimize practices to determine their effectiveness

Steps to CMMC Compliance

1. Determine Your CMMC Requirements

First off, you need to determine what level of CMMC your business requires. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. Well over 90% of DoD contractors require CMMC Level 2 compliance. Along with our no-cost self-assessment tool, our CMMC experts can help you determine whether your business is subject to CMMC requirements and which compliance level you require.

Level 1

FOUNDATIONAL

17 Cybersecurity Practices

Level 2

ADVANCED

+ 93 Cybersecurity Practices

17 Cybersecurity Practices

Level 3

EXPERT

+ 20 Enhanced Cybersecurity Practices

93 Cybersecurity Practices

17 Cybersecurity Practices

Basic Safeguarding of FCI

Increasing Protection of CUI

Reducing Risk of APTs

- See Level 1 Self-Assessment Guide

- Applies to companies handling Federal Contract Information (FCI)

- 17 Cybersecurity Practices

- Company must comply and perform all practices

- See Level 2 Assessment Guide

- Applies to companies handling Controlled Unclassified Information (CUI)

- 110 Cybersecurity Practices

- Must perform, document, and manage practices

- Applies to companies requiring increased protection of CUI and protection against advanced persistent threats (APTs) through increased depth and sophistication of security capabilities

- 130 Cybersecurity Practices

- Companies must perform, document, manage, review, standardize and optimize practices to determine their effectiveness


2. Get Your Gap Analysis

Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. This can be accomplished through our CMMC Level 2 Self-Assessment Tool or a CMMC Gap Analysis performed by our compliance experts. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.


3. Implement Your Remediation

Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will help you achieve 100% compliance through our Standalone Services or CyberSecure 360, our comprehensive security and compliance managed services program.


4. Complete a C3PAO Certification Assessment

Unlike the NIST SP 800-171, contractors must be audited through a Certified Third-party Assessor Organization (C3PAO)* certification assessment to receive CMMC certification. The CMMC certification process will begin as C3PAOs become available. It is important to note that C3PAO cyber security consultants that aid a contractor with CMMC compliance remediation cannot perform that same contractor's Certification Assessment.

Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility. As such, our CMMC Pre-Audit Assessment helps ensure that you've remediated any outstanding practices or processes found in your Gap Analysis, verifying 100% compliance before the auditing process takes place.

*InfoDefense is a C3PAO candidate.

CMMC is as simple as that with InfoDefense.

Call 972-922-3100 or contact us below for more information and guidance for your compliance needs.

Virtual CISO Icon

Schedule a Call with our CMMC Experts

"*" indicates required fields

Name*
Emails with non-business domains (example@gmail.com) will not be accepted.