what is
cmmc 2.0?

The Cybersecurity Maturity Certification program was initiated by the United States Department of Defense (DoD). It aims to assess defense contractors' capabilities, readiness, and sophistication in cybersecurity. The framework comprises processes and other frameworks and inputs from cybersecurity standards like NIST, FAR, and DFARS.

The certificate's primary purpose is to safeguard the Controlled Unclassified Information and Federal Contract Information (FCI) in federal contractors' possessions and use.Originally, DoD announced the CMMC program on January 31, 2020, and revised it on November 2021.

The latest version is CMMC 2.0

WHo is it for?

CMMC compliance is a mandatory requirement for any company that is a part of the Defense Industrial Base and
related to the Defense Supply Chain. In simple terms, the two candidates for CMMC are:

Prime Contractors working
with Government

Subcontractors working
with Primes

CMMC 1.0

1

Basic Cyber Hygiene

The Dod contractor must comply with 17 practices in Federal Acquisition Regulation (DAR) 48 CFR 52.204-21

2

IntermediatE Cyber Hygiene

The DoD contractor must comply with 48 additional controls from NIST 800-171, as well as  an additional 7 “Other” practices.

3

Good Cyber Hygiene

The DoD contactor must comply with all practices from NIST 800-171B as well as an additional 20 “Other” practices.

4

Proactive

The DoD contactor must comply with 11 controls from Draft NIST 800-171B as well as an additional 15 “Other” practices.

5

Advanced or Progressive

The DoD contractor must comply with the final 4 practices from Draft NIST 800-171B as well as an additional 11 “Other” practices.

CMMC 2.0

1

Basic Cyber Hygiene

The Dod contractor must comply with 17 practices in Federal Acquisition Regulation (DAR) 48 CFR 52.204-21

2

Good Cyber Hygiene

The DoD contactor must comply with all practices from NIST 800-171B as well as an additional 20 “Other” practices.

3

Advanced or Progressive

The DoD contractor must comply with the final 4 practices from Draft NIST 800-171B as well as an additional 11 “Other” practices.

CMMC
Model 1.0

LEVEL 5

Advanced
CUI,critical programs

LEVEL 4

Proactive
Transition level

LEVEL 3

Good CUI

LEVEL 2

Intermediate
Transition level

LEVEL 1

Basic FCI only

CMMC
Model 2.0

Model

Assessment

LEVEL 3

Expert

110+

Practices based on
NIST SP 800-172

110+

Triannual government-
led assessments

LEVEL 2

Advanced

110

Practices aligned
with NIST SP 800-171
Triannual third-party assessments for critical national secuirty information; Annual self-assessment for select programs

LEVEL 1

Foundational

17

Practices
Annual self-assessment

frequently ASKED QUESTIONS ABOUT CMMC 2.0

Know  every important detail about CMMC 2.0 . Our FAQ section contain most vital information  that you need.
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat  Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat  Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat  Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat
Your customers can now buy instantly across every sales channel
Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat  Amet minim mollit non deserunt ullamco est sit aliqua dolor do amet sint. Velit officia consequat

CMMC Glossary

Here is a list of commonly used glossaries related to CMMC.

TERM & DEFINITION

TERM

DEFINITION

Asset Owner

A person or group with primary responsibility for the viability, productivity, security, and resilience of an organizational asset.

Cybersecurity Maturity Model Certification (CMMC)

The set of requirements the Department of Defense has which an organization seeking certification (OSC) is assessed by. A certification process is now required for businesses seeking contracts with the DoD.

CMMC Assessment

The formal process of assessing the implementation and reliable use of controls through interviews, document reviews, and other observation measures. For CMMC specifically, an assessment is performed by an organization AND on an organization to see if they meet the requirements for the CMMC Level they are achieving certification for.

CMMC Audit

Performed by a C3PAO or CA and sanctioned by CMMC-AB, this is the process where an official professional or organization will check your organization against a given level of CMMC that you are achieving certification for to see if you successfully meet the requirements for that level. If you pass the audit, you’re issued the certification for that CMMC level.

CMMC Certified Assessor (CA)

A cybersecurity professional who has completed the background, training, and examination requirements to be certified at one of three levels by CMMC-AB. They are the ones who usually perform an audit on an organization.

CMMC Certified Professional (CP)

An individual authorized to participate as an assessment team member under the supervision of a Certified Assessor and authorized to have CMMC training.

CMMC Certified 3rd Party Assessment Organization (C3PAO)

An organization that has been certified by CMMC-AB to be contracted to provide consulting or certified assessments for an organization seeking certification for CMMC at any given level.  

CMMC Certified Organization

An organization that has passed a CMMC Audit successfully and been issued a CMMC Certificate for a given level by the CMMC-AB.

CMMC Control

The policies and procedures to protect the organization's assets, maintain efficiency and stay within established standards. For CMMC, there are a total of 110+ controls that need to be met for full Level 3 certification, though Level 1 starts out with only 17.

CMMC Domain

Part of the CMMC model framework, domains are the categories of the framework, which are further broken down into a set of processes and practices with different topics related to the security of an organization. There are 17 domains within CMMC.

CMMC Maturity Level

This term is used to describe the security practices of a Defense Contractor found eligible for a CMMC-assessed seal after going through an audit sanctioned by the CMMC-AB. There are 3 maturity levels:  Level 1: Foundational, Level 2: Advanced, and Level 3: Expert. 

CMMC Registered Provider Organization (RPO)

A company authorized to represent itself as familiar with the CMMC Standard (given a CMMC-AB standardized logo) and is able to deliver CMMC consulting to organizations seeking certification (non-certified consulting). InterSec is a CMMC Registered Provider Organization.

CMMC Registered Practitioner (RP)

An individual who has gone through training to provide consulting services or advice related to CMMC to an OSC that is non-certified. They do not participate in official audits. 

Controlled Unclassified Information (CUI)

Sensitive information that requires safeguarding and is protected with the aid of law, regulations, and government-wide policies.

Department of Defense (DoD)

 Executive department of the United States federal government. It is responsible for the nation's military affairs, including research, development, and procurement. It also directs operations by the armed forces. The DoD is the agency responsible for creating the CMMC model.

Defense Contractor

Organizations (generally privately owned) that provide products and services to the Department of Defense. They must have at least one contract with the DoD to do so.

Defense Industrial Base (DIB)

The industrial complex is the worldwide network of companies, universities, and institutions that create, produce, or otherwise supply weapons, computers, and other products used by the US military. Most Defense Contractors are considered a part of the DIB.

Dispute Adjudicator

An employee from CMMC-AB that is responsible for handling disputes between an Assessor and OSC for an Assessment/Audit. 

Federal Contract Information (FCI)

Proprietary information (not intended for public release) that is generated under contract to develop or deliver a product or service to the Government.

Gap Analysis

A gap analysis is a tool that companies can use to compare their current performance with how they strive to perform. For CMMC, it is usually a report that identifies where an organization lacks security regulations, implementations, and requirements (similar to a POA&M).

NIST SP 800-171

A standard published by the National Institute of Standards and Technology (NIST). The 113-page document outlines the security requirements organizations must satisfy to protect CUI data in non-federal systems. The document lists 110 requirements (or controls) that makeup CMMC levels 1-2. 

Organization Seeking Certification (OSC)

An organization that intends to go through the CMMC assessment process and become certified under CMMC for a particular level.

Plan of Action and Milestones (POA&M)

A document that identifies missing security requirements and objectives and provides a timeline for their resolution. Cybersecurity professionals produce this document. 

System Security Plan (SSP)

An SSP is a document describing an organization's information security policies, practices, and procedures. This is required at CMMC Level 2 and beyond and is an important document used in the audit process. 
As one of the boutique cybersecurity providers, InterSec employs continuous cyber innovation, sophisticated tradecraft, and top talent to deliver results. Our diverse clients span Commercial, State, and Federal agencies. Our deep cyber and industry expertise is earned through hands-on experience, from Cybersecurity Program setup to Operational Security. Our cyber security services meet mission critical objectives in a secure and compliant manner.

Download our Capability Statement.
Download Capability Statement

CASE STUDIES

Over 300 Case studies of how we help different companies and individual profer solutions to their security challenges.
No items found.
VIEW MORE
DIY CMMC Self Compliance
Get a free CMMC Consultation
Get a free CMMC Consultation
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.