Skip to main content

CMMC CERTIFICATION

A guide to get you started.

This guide was created to help defense contractors understand:

• Why CMMC certification matters
• What level applies to their organization
• The steps required to achieve certification
• How to prepare for an assessment
• How to maintain compliance once certified

 

Download the checklist

Use this guide as a starting point to evaluate your organization’s readiness and identify the actions required to meet CMMC requirements.

What CMMC Means for Your Organization

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program designed to ensure defense contractors and subcontractors implement cybersecurity practices that protect sensitive government information.

The program primarily applies to organizations that are part of the Defense Industrial Base (DIB).

iStock-2216426713
iStock-2165292052

What is the Defense Industrial Base?

The Congressional Research Service defines the Defense Industrial Base as:

“The network of organizations, facilities, and resources that provides the U.S. government,  particularly the Department of Defense, with defense-related materials, products, and services.”

Because these organizations handle sensitive information, the DoD requires contractors to meet specific cybersecurity standards.

To accomplish this, the CMMC program is organized into three levels, each with increasing security requirements based on the sensitivity of the information being handled.

CMMC Certification Levels

1

Level 1 — Basic Safeguarding of FCI

Level 1 focuses on basic cyber hygiene practices designed to protect Federal Contract Information (FCI).

FCI refers to information not intended for public release that is created or used by the government to develop or deliver a product or service under contract.

Examples include:

• Contract details
• Project communications
• Government-provided documentation
• Internal deliverables related to contract performance

Level 1 certification requires organizations to implement the 15 security requirements outlined in FAR 52.204-21.

2

Level 2 — Protection of Controlled Unclassified Information (CUI)

Level 2 is designed to protect Controlled Unclassified Information (CUI) and builds upon the foundational practices established in Level 1 to further safeguard Federal Contract Information (FCI).

CUI includes sensitive government information that is not classified but still requires protection.

Examples of CUI may include:

• Personally identifiable information (PII)
• Technical data
• Software documentation
• Contractor performance information
• Controlled technical information

Level 2 certification aligns with the 110 security requirements defined in NIST SP 800-171.

Defense contractors that handle CUI will need to achieve Level 2 certification.

Pro Tip
Whether a Self Assessment or a 3rd Party Assessment is required, starting early on your 110 controls documentation will set you up for success!

3

Level 3 — Protection Against Advanced Persistent Threats

Level 3 applies to organizations handling highly sensitive CUI that may be targeted by advanced persistent threats (APTs).

This level includes additional security requirements based on NIST SP 800-172 and involves more rigorous government-led assessments.

Organizations working on high-priority national security programs are likely to require Level 3 certification.

Pro Tip
The CMMC level required for your organization will be included in your DOD/DOW contract or subcontract.

CMMC Implementation Timeline

The Department of Defense is implementing CMMC through four phases designed to give contractors time to prepare.

Phase 1

Begins 60 days after the final rule becomes effective.
Some solicitations will require Level 1 or Level 2 self-assessments.

Phase 2

Begins 12 months after Phase 1.
Solicitations may require Level 2 third-party certification assessments.

Phase 3

Begins 24 months after Phase 1.
Contracts may require Level 3 certification when applicable.

Phase 4

Begins 36 months after Phase 1.
All applicable DoD contracts will include CMMC certification requirements as a condition of award.

Who is qualified to help with CMMC readiness and self-assessments?

Whittlesey has the qualified staff on hand. If your organization is preparing for CMMC certification, Whittlesey can help you accelerate readiness and avoid costly delays.

Registered Practitioners (RP or RPA)

Trained and certified to help contractors get ready for their self or 3rd party assessments. Those with practical experience in technology, IT controls, and cybersecurity can also assist with developing and implementing the required controls.

CMMC Certified Professional (CCP)

Can assist with readiness in the same way as an RP, but has an additional level of training that allows them to participate as a member of a C3PAO third-party assessment team. 

CMMC Certified Assessor (CCA)

 Can assist with readiness like an RP or CCP, but has advanced training that qualifies them to lead a C3PAO third-party assessment team. 

Download the Full CMMC Readiness Checklist

Use the downloadable checklist to evaluate your organization’s readiness and begin preparing for certification.

Download the Checklist

Download the checklist to learn:

  • How to determine your required CMMC level
  • How to define your FCI and CUI boundaries
  • How to perform a CMMC gap assessment
  • How to create a POA&M remediation roadmap
  • How to prepare for an official assessment