Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options

CMMC 2.0 Compliance (DFARS 252.204-7021)

ComplianceForge has been on the forefront of developing editable policies, standards, procedures and other templates to address NIST 800-171 compliance since 2016 when it was first released. As Department of Defense (DoD) requirements evolved to include third-party attestation through the Cybersecurity Maturity Model Certification (CMMC), so did ComplianceForge’s solutions, where we offer affordable, editable cybersecurity policies, standards, procedures and other templates to address CMMC 2.0 Levels 1, 2 and 3.  

We field a lot of questions regarding NIST 800-171 and CMMC compliance. The information on this page relates to the common questions of what CMMC is, how CMMC relates to NIST 800-171 and what ComplianceForge products address both NIST 800-171 and CMMC requirements. With the release of CMMC 2.0 that takes the focus of CMMC back to NIST SP 800-171 controls. NIST 800-171 R3 is expected to be finalized in early 2024, which will require a "CMMC 3.0" release to follow those changes from NIST.

Key Takeaways - CMMC 2.0 Compliance
  • CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD's third-party assessment program for verifying NIST 800-171 implementation in the Defense Industrial Base.
  • Three levels: Level 1 (FCI, 15 controls, self-assessment), Level 2 (CUI, NIST 800-171, third-party), Level 3 (CUI+, NIST 800-172, government-led).
  • CMMC takes the focus back to NIST SP 800-171 controls. Essentially, CMMC is the assessment mechanism for proving NIST 800-171 is implemented.
  • ComplianceForge is an industry leader in CMMC documentation since 2016. Templates are DIBCAC battle tested and have been used by organizations that have successfully passed assessments.
  • Documentation is a business accelerator, saving months of labor versus writing from scratch or hiring consultants.
Overview

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's requirement for the Defense Industrial Base (DIB) to obtain third-party attestation that NIST 800-171 controls are implemented. CMMC 2.0 streamlined the original CMMC model back to its NIST SP 800-171 foundation.

When it comes to CMMC compliance, ComplianceForge's editable policies, standards, procedures and other templates are a business accelerator - our products can save you time and significantly reduce the labor costs that are traditionally associated with researching and developing CMMC policies, standards and procedures on your own or by hiring a consultant to do it for you. These are not "fill in the blanks" templates - while they are expected to be edited for your specific needs, these policies, standards and procedures templates are written to address leading secure practices. ComplianceForge documentation can be scoped to address multiple environments (e.g., on-premises and/or in a hosted environment).

ComplianceForge is an industry-leader in NIST 800-171 compliance documentation and have been evolving our DFARS-specific cybersecurity solutions since 2016. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible. Essentially, CMMC is the DoD's requirement for the Defense Industrial Base (DIB) to obtain a third-party assessment that NIST 800-171 controls are implemented.

“DIBCAC Battle Tested”

CMMC 2.0 Policies, Standards & Procedures Templates

ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with NIST 800-171, NIST 800-53, ISO 27002, NIST CSF, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.

Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation. Click on the image below to download the PDF:

Upgrade Path

NIST 800-171 R3 Documentation Upgrade Path

Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 800-171 R3.

Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 800-171 R3. ComplianceForge provides a free resource for organizations migrating from NIST 800-171 R2 to R3. This guide provides an Assessment Objective (AO)-level analysis to address differences:

  • Over 1/3 are minimal effort (clear, direct mapping);
  • Approximately 1/5 are moderate effort (indirect mapping); and
  • Approximately 1/2 are significant effort (no clear mapping or new AOs).

This guide also addresses the logical dependencies that exist from "orphaned AOs" that are not in NIST 800-171A R3, but a requirement to demonstrate evidence of due diligence and due care still exists for specific functions (e.g., maintenance operations, roles & responsibilities, inventories, physical security, etc.).

DFARS 252.204-7021 Overview

CMMC v2.0 (DFARS 252.204-7021) Overview

CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB) and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. Interestingly, when NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance, but that is exactly what CMMC does, so a lot has changed in the past two years from how NIST 800-171 adoption was initially envisioned.

Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract - without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract. It is conservatively-estimated that between 200,000 - 300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality and/or integrity of Controlled Unclassified Information (CUI) where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.

If you are new to​ CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the right to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be.

The CRS report to Congress is loaded with references that you can use to verify information for yourself. It is a really good guide to understand the history and some of the challenges pertaining to CMMC, so it is a worthwhile document to read.

Downloadable Excel Spreadsheet

Downloadable Excel Spreadsheet - CMMC 2.0 Crosswalk

On 18 March 2020, the US Department of Defense (DoD) released version 1.02 of the CMMC. We took those requirements and made those into a user-friendly requirements matrix that indicates the requirements an organization faces from CMMC level 1 through level 5. We also provide mappings that show how ComplianceForge's products support each CMMC requirement. In the downloadable CMMC v2.0 requirements mapping matrix shown below, you can see how all CMMC 2.0 Level 1-3 requirements are supported by various ComplianceForge products.

That downloadable Excel spreadsheet for CMMC v1.02 provides crosswalk mapping to the following frameworks:

  • FAR 52.204-21;
  • NIST 800-171 Rev 2 & Rev 3;
  • NIST 800-171B;
  • NIST 800-53 Rev 5;
  • CERT RMM v1.2;
  • ISO 27002;
  • NIST Cybersecurity Framework;
  • CIS Critical Security Controls v7.1; and
  • Secure Controls Framework (SCF).

It also provides mappings to the following ComplianceForge products:

New To CMMC?

Use The "CMMC Kill Chain" To Build A Project Plan

A common issue facing many front-line IT/cybersecurity practitioners is that they do not know where to start with CMMC, let alone what path they need to follow to pass a CMMC assessment. There is an enormous amount of "What is CMMC?" guidance on LinkedIn, webinars and on the Internet in general, but there is a lack of practical guidance of HOW you are actually supposed to "do CMMC" in realistic terms.

The CMMC Kill Chain is designed to provide a roadmap that would be usable for:

  • Anyone starting out; or
  • Anyone wanting to double check their approach.

You can also download it by clicking on the image to the right to get a PDF version of the graphic and description.

CMMC Assessment Preparation

How Do I Prepare For A CMMC Assessment?

Based on version 2.0 of the CMMC, there were 3 levels and each has its own specific set of controls that will be in scope for a CMMC audit. Each level of CMMC maturity has increasing expectations:

CMMC Level 1
17 Level 1 controls that are based on 15 basic cybersecurity controls from FAR 52.204-21.
CMMC Level 2
110 CUI controls from NIST SP 800-171.
CMMC Level 3
110 CUI controls from NIST SP 800-171 + up to 35 controls from NIST SP 800-172.
NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
It is the underlying set of Assessment Objectives (AOs) that serve as the basis for the criteria used by a C3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 Rev 2 or Rev 3 control. Until final guidance on what C3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a 3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future C3PAO audit-related costs.
A documentation review will likely occur before the C3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your C3PAO to start their assessment by:
  • Performing a thorough review of your System Security Plan (SSP) to understand the who/what/when/where/how/why of your CUI environment;
  • Assessing your Plan of Action & Milestones (POA&M) to understand what controls are not addressed (if applicable) and how your compensating controls exist to remediate the risk of non-compliance on a certain control; and
  • Evaluating your policies, standards and procedures to see if those line up with the SSP and if that documentation supports all the requirements of NIST 800-171 / CMMC.
CMMC VS NIST 800-171 vs NIST 800-53

CMMC vs NIST 800-171 vs NIST 800-53 Requirements - NIST Did Not Re-Invent The Wheel

Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.

When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist. ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity.
The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.