CMMC 2.0 Compliance Starter Checklist
This CMMC 2.0 compliance checklist is designed to help you get started on your compliance journey. Note that it is not intended to be a comprehensive source on all the steps involved; to prepare for CMMC certification, consult a CMMC Registered Provider Organization (RPO).
What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity training, certification and assessment program from the United States Department of Defense (DoD). CMMC is designed to provide increased assurance to the DoD that a contractor can adequately protect controlled unclassified information(CUI), including accounting for information flow to subcontractors in a multi-tier supply chain.
More broadly, CMMC is designed to help defense industrial base (DIB) organizations:
- Safeguard sensitive information through proper cybersecurity hygiene with a “trust but verify” model
- Dynamically enhance cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Instill a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
CMMC was created to replace an older model in which DoD contractors were required to self-assess and report their cybersecurity readiness. CMMC 2.0 replaced CMMC 1.0 as of November 2021.
Focused on the most critical requirements: Streamlines the model to 3 compliance levels
Aligned with widely accepted standards: Uses NIST cybersecurity standards (NIST SP 800-171)
Reduced assessment costs: Allows all companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
Higher accountability: Increases oversight of professional and ethical standards of third-party assessors
Spirit of collaboration: Allows companies (under specific circumstances) to make plans of action & milestones (POA&Ms) to achieve certification
Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
When is CMMC compliance required?
CMMC 2.0 was announced in November 2021 and needs to undergo rulemaking before it is implemented. CMMC 2.0 will become a contract requirement once rulemaking is completed; this process can take 9–24 months. However, if you are a DoD contractor or subcontractor, then the time to start working towards CMMC 2.0 compliance is now. Organizations should prepare only for CMMC 2.0
During the rollout of CMMC 2.0, prime DoD contractors will also need to perform a self-assessment of their implementation of NIST SP 800-171 via the NIST SP 800-171 DoD Assessment Methodology (which prime contractors can also ask of their subcontractors). This assessment results in a score that needs to be submitted to the Supplier Performance Risk System (SPRS). It should also be noted that assessments considered “medium” or “high” must be conducted by the DoD, rather than via self-assessment.
What organizations does CMMC apply to?
The target for CMMC compliance is the defense industrial base, which is over 300,000 organizations and universities that are important in the production of equipment for the United States Armed Forces. This includes contractors and subcontractors, researchers, and staff in engineering, development, and supply chain operations.
A DIB contractor can achieve a specific CMMC level for its entire enterprise network or for segments of it, depending upon where CUI or Federal Contract Information (FCI) is handled and stored. However, it’s generally a best practice to ensure the same level of CMMC compliance across all networks that can communicate with one another, or that users may exfiltrate data to or from.
Any entity that wants to continue competing for DoD contracts will need CMMC certification.
What does CMMC protect?
The primary goal of CMMC is to protect CUI, which is defined as unclassified information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
FCI also needs attention under CMMC; it is a much broader term that encompasses CUI and more. The importance of protecting CUI cannot be stressed enough.
What are CMMC domains and practices?
The cybersecurity requirements of CMMC are categorized into the following 17 domains:
Each domain contains multiple practices; more practices are required for higher CMMC certification levels.
Awareness and Training
Audit and Accountability
System and Communications
System and Information Integrity
Identification and Authentication
What are the CMMC compliance levels?
Here is a high-level outline of the three levels of CMMC compliance:
CMMC Model 2.0
Level 3: Expert
110+ practices based on NIST SP 800-172
Triennial government-led assessments
Level 2: Advanced
110+ practices aligned with NIST SP 800-171
Triennial third-party assessments for critical national security information;
Annual self-assessment for select programs
Level 1: Foundational
Level 1 (Foundational)
This level is for companies with federal contract information (FCI) only (this information requires protection but is not critical to national security).
- Annual self-assessment
- 17 practices
Level 2 (Advanced)
This is the minimum CMMC level for organizations handling CUI.
- Triennial third-party assessments for critical national security information; annual self-assessment for select programs
- Requires third-party assessments for prioritized acquisitions: Companies will be responsible for obtaining an assessment and certification prior to contract award.
- Requires self-assessments for other non-prioritized acquisitions: Companies will complete and report a CMMC Level 2 self-assessment and submit senior official affirmations for SPRS.
- 110 practices, aligned with NIST SP 800-171
Levels 3 (Expert)
Unless specified in a DoD contract, organizations should aim for Level 2 if they handle CUI, rather than the requirement-heavy Level 3.
- Triennial government-led assessments
- 110+ practices from NIST SP 800-172
- Addresses high-value assets and high-profile programs and protects CUI from advanced persistent threats (APTs)
Level 3: Expert
110+ practices based on NIST SP 800-172
CUI, highest priority programs
Level 2: Advanced
110 practices aligned with NIST SP 800-171
CUI, prioritized acquisitions
CUI, non-prioritized acquisitions
Level 1: Foundational
FCI, not critical to national security
How can my organization get started with CMMC compliance?
The first step in any CMMC journey is to identify CUI in an environment and determine how that data is used, who can access it and how it is being used. Solutions like Netwrix Auditor and Netwrix Data Classification Netwrix can help you with all of these critical tasks. In addition, organizations should consult with a certified RPO to prepare for their CMMC assessment.
What are the key CMMC terms I should know?
- C3PAO – Certified Third-Party Assessment Organization
- CMMC-AB – CMMC Accreditation Body
- CUI – Controlled Unclassified Information
- DFARS – Defense Federal Acquisition Regulation Supplement
- DIB – Defense industrial base
- FCI – Federal Contract Information
- NIST SP 800-171 – Security requirements for protecting CUI
- NIST SP 800-172 – Enhanced security requirements for protecting CUI
- OSC – Organization seeking certification
- POAM – Plan of actions and milestones
- RPO – Registered Provider Organization
For more information, see the FAQ from the Office of the Under Secretary of Defense.
What is Controlled Unclassified Information (CUI)?
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
What is CMMC?
Cybersecurity Maturity Model Certification is a unifying standard for the implementation of cybersecurity across the defense industrial base and quantifying an organization’s cybersecurity maturity level. The CMMC framework is designed to provide increased assurance to the DoD that a DIB company has implemented appropriate cybersecurity practices to protect FCI and CUI.
Why was CMMC 2.0 created?
DoD is migrating to the new CMMC framework in order to better enhance and assess the cybersecurity posture of DIB organizations.
Will other Federal (non-DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD and will be implemented through DFARS clause 252.204-7021.
What is the relationship between NIST and CMMC?
What is a CMMC Third Party Assessment Organization (C3PAO)?
Authorized and accredited C3PAOs are responsible for conducting the CMMC assessments of DIB companies’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments.
Who will perform CMMC assessments?
Only authorized and accredited C3PAOs who are listed on the CMMC-AB Marketplace website will be able to conduct CMMC assessments. C3PAOs shall use only authorized or certified CMMC assessors to conduct CMMC assessments.
How will my organization become certified?
DIB companies will select one of the authorized or accredited C3PAOs from the CMMC-AB Marketplace website. The DIB company and the selected C3PAO will coordinate and plan the CMMC assessment, as well as complete appropriate contractual agreements.
After the completion of the CMMC assessment, the C3PAO will provide an assessment report; if there are no deficiencies, it will issue a CMMC certificate to the DIB company for the appropriate certification level. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.
How often does my organization need to be reassessed?
In general, a CMMC certificate will be valid for 3 years.
If my organization has a CMMC certification and my unclassified network is compromised, do I lose my certification?
A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.
My organization does not handle CUI. Do I have to be certified anyway?
If a DIB company does not possess, store, or transmit CUI but possesses FCI, it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1.
Companies that solely produce commercial-off-the-shelf (COTS) products do not require a CMMC certification.
If my organization is a subcontractor on a DoD contract, does it need to be certified?
If the DoD contract has a CMMC requirement and your company does not solely produce COTS products, you will need a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing from your prime contractor.
How will I know what CMMC level is required for a contract?
The DoD will specify the required CMMC level in each Request for Information (RFI) and Request for Proposals (RFP).