What is CMMC Compliance?

What is CMMC Compliance?

CMMC Compliance refers to meeting the requirements of the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. CMMC compliance involves scoping, documentation (e.g., policies, SSP, POA&M, SCRM), implementing and evidencing controls that NIST SP 800-171 Controlled Unclassified Information (CUI) controls are implemented according to NIST SP 800-171A.

CMMC 2.0 is currently based on NIST SP 800-171 R2 and NIST SP 800-171A. There are three (3) CMMC 2.0 levels:

1. CMMC 2.0 Level 1: Basic Safeguarding of FCI
   52. Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.
2. CMMC 2.0 Level 2: Broad Protection of CUI
   1. Requirements:
      1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
      2. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.

• Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

3. CMMC 2.0 Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
   1. Requirements:
      2. Successfully demonstrate conformity with CMMC 2.0 Level 2.
      3. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

• Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.