CMMC 2.0 Compliance Checklist

When organizations do business with the federal government, they often create or handle sensitive data. To keep this data secure, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is mandatory for companies in the Defense Industrial Base (DIB) and those seeking a contract with the DoD. 

CMMC was been updated to v2.0 in 2021. Organizations that fail to comply with CMMC 2.0 risk jeopardizing their DoD contracts, which makes understanding the changes to the framework essential.

This CMMC compliance checklist for v2.0 can help you get started on your way to compliance. Note that it is not a comprehensive source on all the steps involved and that you must consult a CMMC Registered Provider Organization (RPO) to obtain your CMMC certification. 

Understanding CUI and FCI

A glossary of key terms is provided at the end of this CMMC audit checklist, but two terms that organizations need to understand in order to follow this checklist are CUI and FCI: 

• CUI (controlled unclassified information) — “Information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."
• FCI (Federal contract information) — "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public."

To achieve CMMC compliance, organizations must store, transfer and process CUI and FCI appropriately.

CMMC Goals

The CMMC is a cybersecurity training, certification and assessment program that aims to ensure that DIB contractors handle CUI securely. This includes the flow of data to subcontractors in the supply chain.

Key requirements include the following:

• Safeguard sensitive information through proper cybersecurity practices, often by employing a “trust but verify” model.
• Continually fortify existing cybersecurity practices to keep up with the changing threat landscape.
• Ensure accountability across the organization so that missteps can be identified and resolved.
• Facilitate compliance with DoD requirements.
• Foster a collaborative culture that prioritizes cybersecurity and cyber resilience.
• Maintain public trust through the highest professional, ethical, and transparency standards.

The CMMC aligns with NIST SP 800-171 and NIST SP 800-172, so companies seeking CMMC certification should become acquainted with those standards.

CMMC 1.0 vs CMMC 2.0: Key Differences

The main differences between CMMC 1.0 and CMMC 2.0 are: 

• Fewer levels — The model certification CMMC level that an organization obtains can determine the type of contract they're eligible for. CMMC 1.0 defined five levels; CMMC 2.0 has just three: Level 1 Foundational, Level 2 Advanced and  Level 3 Expert. 
• Reduced assessment costs — CMMC 2.0 allows all Level 1 and some Level 2 organizations to demonstrate compliance through self-assessment, which eliminates the costs of assessments by a Certified Third-Party Assessment Organization (C3PAO). 
• Higher accountability — Third-party assessments must now meet higher professional and ethical standards.
• Greater flexibility — CMMC 2.0 permits some companies to achieve certification via a Plan Of Action and Milestones (POA&M). It also enables the government to issue waivers in some circumstances. 
• Removal of "Capabilities" and "Processes" sections — In CMMC 1.0, the Capabilities covered goals related to cybersecurity hygiene, while the Process section covered the workflows, policies, security controls and other methods for demonstrating progress toward a cybersecurity goal. 

When is CMMC compliance required?

CMMC 2.0 was announced in November 2021 and expected to be implemented by November 2023. The date has been pushed back, but CMMC 2.0 is coming as soon as 2025, so organizations are advised not to delay making the changes needed to get CMMC 2.0 certification.

What organizations does CMMC apply to?

The CMMC primarily applies to organizations within the DIB, which consists of over 300,000 businesses and universities that participate in the manufacture of United States Armed Forces equipment. This includes but is not limited to:

• Contractors 
• Subcontractors 
• Engineering staff
• Supply chain resources 
• Research and development (R&D)

DIB contractors can achieve a particular CMMC certification level across their entire network or merely for portions of it, depending on their CUI and FCI storage processes. However, it's usually a best practice to maintain a uniform level of compliance throughout so that all network segments can communicate and share data without the risk of a compliance violation.

Contractors and CMMC 2.0

CMMC 2.0 requires prime DoD contractors to perform a self-assessment of their implementation of NIST SP 800-171 practices. They can do this via the NIST SP 800-171 DoD Assessment Methodology. 

To maintain continuity across the entire supply chain, they may request that any subcontractors do the same. The assessment generates a score that contractors must submit to the Supplier Performance Risk System (SPRS). For an assessment to get a grade of "medium" or "high", it must be performed by the DoD rather than via self-assessment.

What are CMMC domains and practices?

The cybersecurity requirements of CMMC fall into the following 17 domains: 

• Access Control (AC)
• Incident Response (IR)
• Risk Management (RM)
• Access Management (AM)
• Maintenance (MA)
• Security Assessment (CA)
• Awareness and Training (AT)
• Media Protection (MP)
• Audit and Accountability (AU)
• Personnel Security (PS)
• System and Communications (SC)
• Configuration Management (CM)
• Physical Protection (PE)
• System and Information Integrity (SI)
• Identification and Authentication (IA)
• Recovery (RE)
• Situation Awareness (SA)

The NIST SP 800-171 and NIST SP 800-172 standards list the cybersecurity practices for these domains. Those seeking a specific CMMC certification level must follow the practices set within the corresponding standard.

What are the CMMC compliance levels?

Your CMMC compliance level determines your eligibility for certain government contracts. CMMC 2.0 defines three levels:

CMMC Level 1: Foundational

This level is usually best for companies that handle FCI or other data that requires protection but is non-essential for national security. A CMMC Level 1 checklist includes ensuring your company adheres to the 17 practices defined in NIST SP 800-171 and can demonstrate that it is compliant via self-assessments.

CMMC Level 2: Advanced

This level is for organizations that handle CUI in addition to contract information (FCI). A CMMC Level 2 checklist involves implementing 110 (not just 17) NIST SP 800-171 practices and undergoing triennial assessments from a C3PAO.

CMMC Level 3: Expert

The highest certification level in CMMC 2.0 is for companies engaged in high-level government programs and aims to protect their CUI from advanced persistent threats (APTs). A CMMC level 3 checklist including following the 110+ advanced practices of NIST SP 800-172 and passing triennial assessments from the government rather than a C3PAO.

Recap

The following table summarizes the main differences between the three levels in CMMC 2.0:

How can my organization get started with CMMC compliance?

The critical first step in your Cybersecurity Maturity Model Compliance journey is to find out where CUI exists in your environment, who can access it and how you use it. Solutions like Netwrix Auditor and Netwrix Data Classification can help you perform these critical tasks accurately and efficiently. 

For more information, see the FAQ on the Secretary of Defense website. You can also submit questions there, and the relevant office will respond by email.

Glossary

• AB — Accreditation Body
• C3PAO — Certified Third-Party Assessment Organization 
• CUI — Controlled Unclassified Information
• DFARS — Defense Federal Acquisition Regulation Supplement
• DIB — Defense Industrial Base
• FCI — Federal Contract Information
• OSC — Organization Seeking Certification
• POAM — Plan Of Actions and Milestones
• RPO — Registered Provider Organization
• SSP — System Security Plan

FAQ

What is Controlled Unclassified Information (CUI)?

CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a standard for cybersecurity implementation across the defense industrial base and quantifying an organization’s cybersecurity maturity level. The CMMC framework provides increased assurance to the DoD that a DIB company has implemented appropriate cybersecurity practices to protect FCI and CUI.

Why was CMMC 2.0 created?

The DoD is migrating to the new CMMC framework to enhance and better assess the cybersecurity posture of DIB organizations.

Is there a CMMC 3.0?

A third version of the CMMC framework is in the works. 

Will non-DoD contracts use CMMC?

The initial implementation of the CMMC 2.0. will only be within the DoD and follow through the DFARS clause 252.204-7021.

What is the relationship between NIST and CMMC?

CMMC 2.0 Level 2 requires companies to meet the 110 security requirements specified in NIST SP 800-171. Level 3 requires a subset of NIST SP 800-172 practices.

What is a CMMC Third Party Assessment Organization (C3PAO)?

C3PAOs are responsible for conducting certain CMMC assessments and issuing appropriate CMMC certificates based on the results. Authorized and accredited C3PAOs are listed on the CMMC-AB Marketplace website. 

How does an organization become certified using a C3PAO?

The company selects one of the C3PAOs from the CMMC-AB Marketplace website and works with them to plan the CMMC assessment. The C3PAO will provide an assessment report; if there are no deficiencies, it will issue a CMMC certificate for the appropriate certification level. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.

How often does an organization need to be reassessed?

In general, a CMMC certificate is valid for three years.

If my organization has a CMMC certification and my unclassified network is compromised, do I lose my certification?

A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.

My organization does not handle CUI. Do I have to be certified anyway?

If a DIB company does not possess, store or transmit CUI but possesses FCI, it must meet FAR clause 52.204-21 and get CMMC Level 1 certified at a minimum. 

Companies that produce only commercial-off-the-shelf (COTS) products do not require a CMMC certification.

If my organization is a subcontractor on a DoD contract, does it need to be certified?

If the DoD contract has a CMMC requirement and your company does not solely produce COTS products, you will need a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowing from your prime contractor.

How will I know what CMMC level is required for a contract?

The DoD will specify the required CMMC level in each Request for Information (RFI) and Request for Proposals (RFP).