CMMC GUIDE

A Comprehensive Guide to CMMC for DoD Contractors

Understanding The Need for CMMC

In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board.

While the U.S. government's initial approach to introducing fundamental security controls into the national defense supply chain called for compliance with NIST SP 800-171 through DFARS 252.204-7012, these measures weren't enough. The Cyber Security Model Certification (CMMC) was released in early 2020 to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

CMMC Compliance Requirements

The CMMC framework features five levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 3, whereas those with access to FCI only will need to be compliant at CMMC Level 1. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors have or handle CUI and must become CMMC Level 3 certified by October 2025 to remain eligible for DoD contracts.

Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a C3PAO, third party assessor. The CMMC certification process will begin as C3PAOs become available (est. late 2021). Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.

To prevent exclusion from contracts as CMMC is implemented, contractors must determine whether their organization is subject to CMMC requirements, assess their compliance against the requirements of the level they need, obtain a gap analysis, remediate those gaps in compliance, and be audited through a Certified Third-party Assessor Organization (C3PAO) certification assessment.

As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation beginning November 30, 2020.

* InfoDefense is a C3PAO candidate.

Cost-effective Compliance Solutions

InfoDefense is a cyber security and compliance consultant that provides turnkey solutions to protect your business. Our cost-effective, simplified CMMC and DFARS compliance solutions will allow your business to become compliant and stay compliant:

*Call 972-922-3100 or contact us for more information and guidance for your business.

Level 01

BASIC CYBER HYGIENE

Basic Safeguarding of FCI

17 Cybersecurity Practices

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 02

INTERMEDIATE CYBER HYGIENE

Transition Step to Protect CUI

+ 55 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 03

GOOD CYBER HYGIENE

Increasing Protection of CUI

+ 58 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 04

PROACTIVE

Reducing Risk of APIs

+ 26 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/PROGRESSIVE

+ 15 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

As a first step to compliance, InfoDefense offers a no-cost tool that will aid in assessing your organization's compliance against CMMC Level 3 requirements, give you a gap analysis, and allow you to report your SPRS score.

Free CMMC NIST 800 171 Tool Compliance Checklist

CMMC Level-3
Self-Assessment Tool

Steps to CMMC Compliance

1. Determine Your CMMC Requirements

First off, you need to determine what level of CMMC your business requires. Organizations with access to CUI must be certified at CMMC Level 3, whereas those with access to FCI only will need to be compliant at CMMC Level 1. Well over 90% of DoD contractors require CMMC Level - 3 compliance. Along with our no-cost self-assessment tool, our CMMC experts can help you determine whether your business is subject to CMMC requirements and which compliance level you require.

Level 01

BASIC CYBER HYGIENE

17 Cybersecurity Practices

Level 02

INTERMEDIATE CYBER HYGIENE

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

Level 03

GOOD CYBER HYGIENE

+ 58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Level 04

PROACTIVE

+ 26 Cybersecurity Practices

58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Level 05

ADVANCED/
PROGRESSIVE

+ 15 Cybersecurity Practices

26 Cybersecurity Practices

58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Basic Safeguarding
of FCI

Transition Step to
Protect CUI

Increasing Protection of CUI

Reducing Risk
of APIs

"PERFORMED"

- Applies to companies handling Federal Contract Information (FCI)

- 17 Cybersecurity Practices

- Company must comply and perform all practices

"DOCUMENTED"

- Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)

- 72 Cybersecurity Practices

- Company must perform and document practices 

"MANAGED"

- Applies to companies handling Controlled Unclassified Information (CUI)

- 130 Cybersecurity Practices

- Must perform, document, and manage practices

"REVIEWED"

- Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)

- 156 Cyber Practices 

- Companies must perform, document, manage, and review practices to determine their effectiveness

"OPTIMIZING"

- Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)

- 171 Cybersecurity Practices

- Companies must perform, document, manage, and review practices to determine their effectiveness

Level 01

BASIC CYBER HYGIENE

Basic Safeguarding of FCI

17 Cybersecurity Practices

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 02

INTERMEDIATE CYBER HYGIENE

Transition Step to Protect CUI

+ 55 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 03

GOOD CYBER HYGIENE

Increasing Protection of CUI

+ 58 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 04

PROACTIVE

Reducing Risk of APIs

+ 26 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/PROGRESSIVE

+ 15 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

2. Get Your Gap Analysis

Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. This can be accomplished through our CMMC Level 3 Self-Assessment Tool or a CMMC Gap Analysis performed by our compliance experts. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.


3. Implement Your Remediation

Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will help you achieve 100% compliance through our Standalone Services or CyberSecure 360, our comprehensive security and compliance managed services program.


4. Complete a C3PAO Certification Assessment

Unlike the NIST SP 800-171, contractors must be audited through a Certified Third-party Assessor Organization (C3PAO)* certification assessment to receive CMMC certification. The CMMC certification process will begin as C3PAOs become available. It is important to note that C3PAO cyber security consultants that aid a contractor with CMMC compliance remediation cannot perform that same contractor's Certification Assessment.

Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility. As such, our CMMC Pre-Audit Assessment helps ensure that you've remediated any outstanding practices or processes found in your Gap Analysis, verifying 100% compliance before the auditing process takes place.

*InfoDefense is a C3PAO candidate.

CMMC is as simple as that with InfoDefense.

Call 972-922-3100 or contact us below for more information and guidance for your compliance needs.

Virtual CISO Icon

Schedule a Call with our CMMC Experts