CMMC Explained

CMMC
EXPLAINED

A Comprehensive Guide to CMMC for Department of Defense Contractors

CMMC NIST 800-171 Self-Assessment Tool Illustration

In January 2020, the Department of Defense released the initial version of the Cybersecurity Maturity Model Certification (CMMC) standard. CMMC assists in the protection of CUI (Controlled Unclassified Information). Well over 90% of DoD contractors have or handle CUI and, as a result, must become CMMC Level – 3 certified.

Our no-cost CMMC Level-3 Self-Assessment Tool allows you to assess your organization's compliance with CMMC Level 3, as well as track compliance status.

Steps to CMMC Compliance

1. Determine Your CMMC Requirements

First off, you need to determine what level of CMMC your business requires. Well over 90% of DoD contractors require CMMC Level - 3 compliance. Along with our no-cost assessment tool, our CMMC experts will help you determine the compliance level your business requires.

Level 01

BASIC CYBER HYGIENE

Basic Safeguarding of FCI

17 Cybersecurity Practices

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 02

INTERMEDIATE CYBER HYGIENE

Transition Step to Protect CUI

+ 55 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 03

GOOD CYBER HYGIENE

Increasing Protection of CUI

+ 58 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 04

PROACTIVE

Reducing Risk of APIs

+ 26 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/PROGRESSIVE

+ 15 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 01

BASIC CYBER HYGIENE

17 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 02

INTERMEDIATE
 CYBER HYGIENE

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 03

GOOD CYBER HYGIENE

+ 58 Cybersecurity Practices

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 04

PROACTIVE

+ 26 Cybersecurity Practices

+ 58 Cybersecurity Practices

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/
PROGRESSIVE

+ 15 Cybersecurity Practices

+ 26 Cybersecurity Practices

+ 58 Cybersecurity Practices

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

Basic Safeguarding
of FCI

Transition Step to
Protect CUI

Increasing Protection of CUI

Reducing Risk
of APIs

2. Get Your Gap Analysis

Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.

3. Implement Your Remediation

Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will do the heavy lifting for you.

CMMC is as simple as that with InfoDefense.

CMMC NIST 800-171 Self-Assessment Tool Illustration

Get Your CMMC Level-3 Self-Assessment Tool

Virtual CISO Icon

Schedule a Call with our
CMMC Experts

Schedule a Call with our CMMC Experts