What is CMMC and Who Does It Impact?

US Department of Defense (DoD) Contractors are currently required to implement 110 NIST SP 800-171 practices to protect Controlled Unclassified Information (CUI) under current DFARS 252.204-7012 contract obligations. The Cybersecurity Maturity Model Certification (CMMC), a three (3) level cybersecurity standards program, will also require organizations handling CUI to meet the those same 110 practices and also pass a third-party assessment at Level 2. There has also been an update to the deadline with the the Department of Defense. It’s projected that the Interim Rule will be published around March of 2024.

With deadlines approaching, securing a trusted partner is essential. Coalfire Federal has 20 years of experience providing advanced cyber support to highly-regulated organizations in the Defense Industrial Base Sector. As one of only a handful of C3PAOs (CMMC Third-Party Assessor Organization), we are uniquely qualified to guide you in your compliance journey. Connect with us today and learn how Coalfire Federal can help you reach your compliance goals with verifiable, accurate results.

Talk to an Expert

Certifications

What is CMMC 2.0?

CMMC 2.0 is the next iteration of the Department’s cybersecurity model. It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.

The Department’s model will significantly improve its supply chain security posture and acquisition confidence.

Self-assessments – A self-assessment is acceptable only for those companies that are required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.
Security Practice Alignment – CMMC 2.0 is intended to accommodate a majority of DIB contractors that only handle FCI by eliminating maturity process requirements for Level 1. Level 2 is designed to align with NIST SP 800-171 and its 110 security practices while eliminating all CMMC-specific and unique security practices.
Increased Vigilance – Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.

Level 1 – Foundational

Applies to companies that focus on the protection of Federal Contract Information (FCI).

Learn More About CMMC Level 1

Level 2 – Advanced

This level applies to companies who handle Controlled Unclassified Information (CUI).

Learn More About CMMC Level 2

Level 3 – Expert

Intended for companies that collaborate with CUI on the Department of Defense’s highest-priority programs.

Learn More About CMMC Level 3

What Role Does the Cyber AB Play in the CMMC Process?

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification ecosystem and the sole authorized non-governmental partner of the U.S. Department of Defense in implementing and overseeing the CMMC conformance regime.

The accreditation body verifies the credentials and qualifications of C3PAOs and ensures that they can deliver the appropriate guidance for contracting companies that are trying to meet the compliance requirements. It also establishes the framework and standards for becoming a C3PAO.

CMMC FAQs

Please note that this FAQ is a summary and should be used in conjunction with the
official CMMC documentation for precise guidance and compliance instructions.

1. What is CMMC, and Who Does It Impact?

CMMC, or Cybersecurity Maturity Model Certification, impacts US Department of Defense (DoD) contractors. It requires organizations handling Controlled Unclassified Information (CUI) to meet 110 NIST SP 800-171 practices and pass a third-party assessment at Level 2. The Department of Defense projects the Interim Rule to be published around March 2024.

2. What is the Role of Coalfire Federal in Compliance?

Coalfire Federal is one of the few C3PAOs (CMMC Third-Party Assessor Organizations) and has 20 years of experience providing advanced cyber support to regulated organizations in the Defense Industrial Base. We offer advisory guidance and assessment services to help you achieve your compliance goals.

3. What is CMMC 2.0, and How Does it Differ from the Previous Model?

CMMC 2.0 is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements into three levels, aligns with NIST cybersecurity standards, and improves supply chain security posture and acquisition confidence. Self-assessments are acceptable for Level 1, while Level 2 aligns with NIST SP 800-171.

4. What Are the Key Differences Between CMMC 2.0 and NIST 800-171?

CMMC 2.0 includes a level-based model, focuses on Controlled Unclassified Information (CUI) standards, and includes additional domains beyond NIST 800-171, providing a more comprehensive approach to cybersecurity. Learn more here.

5. What are the Certification Levels?

CMMC Level 1: Focuses on the protection of Federal Contract Information (FCI).

CMMC Level 2: Applies to companies handling Controlled Unclassified Information (CUI).

CMMC Level 3: Intended for companies working on the Department of Defense’s highest-priority programs in collaboration with CUI.

6. What Role Does the Cyber AB (Accreditation Body) Play in Compliance?

The Cyber AB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the conformance regime. It verifies the credentials and qualifications of C3PAOs and sets standards for becoming a C3PAO.

Where are you in your CMMC Journey?

Coalfire Federal was among the first group of companies to be selected as a Registered Provider Organization (RPO) and CMMC Third-Party Assessor Organization (C3PAO). Regardless of where you are in your compliance journey, our advisory and assessment services can help you effectively plan and prepare for your CMMC certification.

I Need to Become
Assessment-Ready

Requirements are exacting. Coalfire Federal can help you effectively prepare to become CMMC-ready. Leveraging our C3PAO expertise, we know how to prepare for the certification assessment and can guide you through the process. Our suite of services includes:

CUI Boundary Analysis – Assists in the determination of in-scope organizational and system environments.
Gap Analysis – Evaluates your organization’s current readiness state against CMMC practices.
Remediation Support – Closes identified cybersecurity gaps and achieve certification-ready status.

Learn More About Our Advisory Services

I Am Ready for my (C3PAO) Assessment

Among the first group of authorized C3PAO companies, and the first to have CMMC Provisional Assessors on staff, Coalfire Federal is uniquely qualified with the expertise to accurately assess your environment, security practices, and maturity level against the framework. Coalfire Federal offers the following assessment services:

Mock Assessment – This is our unofficial, comprehensive assessment which mirrors the certification assessment. It is designed to help you predetermine the likely outcome and your team’s readiness during an official CMMC certification assessment.
Assessment – The official assessment needed to be taken by your team to achieve certification.

Learn More About Our Assessment Services

Learn More About Our
Advisory Services

As a C3PAO and a Department of Defense contractor also subject to CMMC requirements, Coalfire Federal is uniquely qualified, and armed with first-hand experience, to help you become assessment-ready.