The recent update in the Cybersecurity Maturity Model Certification (CMMC) have left Department of Defense (DoD) contractors with some questions. The biggest difference in CMMC 2.0 is the number of levels of the certification. CMMC 2.0 cuts out the maturity processes unique to CMMC, condensing the certification levels from five to three.

So, how do you prepare for these new changes? Here are some updated commonly asked questions and answers about CMMC 2.0.

Do I need to be CMMC Certified?

Anyone who does business with the Department of Defense (DoD) must be certified, including subcontractors. There are self-attestation and 3rd-party attestation paths available depending on the criticality of the program you work on.

Why was CMMC 2.0 released?

CMMC 2.0 was released in November 2021 to streamline the CMMC process. Many small and medium-sized contractors (SMBs) expressed concerns about the costs, complexity, and five-year timeline of implementation. The main reasoning behind the certification is to protect federal contract information (FCI) and controlled unclassified information (CUI).

Can I do self-assessment for CMMC?

Level 1 is achievable through an annual self-assessment since it only deals with FCI. All contractors achieving Level 2 that are a non-prioritized program are also permitted to do an annual self assessment. Aside from these select programs, all other contractors achieving Level 2 require a triennial third-party assessment from a C3PAO since Level 2 involves the protection of CUI. All contractors achieving the highest level, Level 3, will be required to undergo a triennial government-led assessment.

What are the levels of CMMC?

CMMC 2.0 is made up of three levels. Starting at Level 1, they are Foundational, Advanced, and lastly, Expert. The higher the level, the more critical the information is to national security.

  • Level 1 is aligned with Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems
  • Level 2 is aligned with NIST SP 800-171 (and requires compliance with FAR 52.204-21)
  • Level 3 is aligned with NIST SP 800-172 (and requires compliance with FAR 52.204-21 and NIST SP 800-171)

What is CMMC Level 1 for?

CMMC Level 1 will be required for contractors dealing only with FCI. This level is for contractors not handling information that is critical to national security. It contains 17 controls encapsulated in FAR 52.204-21. Obtaining CMMC Level 1 requires a self-assessment with annual recertification.

How much does CMMC cost?

The DoD has determined that the costs to prepare for CMMC will be considered an allowable cost, meaning that they can be billed directly to the DoD and will be reimbursable. To read more, check out our blog on the cost of CMMC.

Does the certification requirement apply to grants as well as contracts?

As of now, the requirement applies to DoD contract funding only, and only is associated with the project when the RFP/RFI includes a statement pertaining to the CMMC level that applies. This language can be found on contract vehicles as well.

What is the best way to prepare for the certification?

The first step is assessing your company’s security gaps and weaknesses. If remediation is necessary to bring your company up to the standards of the level for which you would like to be certified, bringing in a Registered Provider Organization (RPO) with expertise in CMMC assessments and remediation can prove to be beneficial to get your business on the right path. Learn more about Bravo’s CMMC services here.

What can I expect from the formal certification assessment?

For self-assessments, contractors will continue to use the Supplier Performance Risk System (SPRS) to submit assessments to the DoD.

For third-party assessments, a CMMC Third Party Assessment Organization (C3PAO) will conduct a thorough review of your System Security Plan (SSP) to assess your handling of Controlled Unclassified Information (CUI) and look for any weak spots and possible remediation paths to eliminate the risk that comes from them. From there, your policies, standards, and procedures are evaluated to see if they align with your SSP and if it supports the requirements associated with the level you are being audited for. One main component the assessors are looking for is maturity in your control responses. Therefore, it is important to not wait until the last minute to prepare for CMMC.

How can I learn more about CMMC?

To learn more, visit The Office Under the Secretary of Defense for Acquisition and Sustainment’s informative website or Bravo’s CMMC page.

Have more questions about CMMC or need help getting started? Fill out the form below!