The Public Contracting Institute offers training and information about the Cybersecurity Maturity Model Certification (CMMC) program. Thanks to James Goepel at Fathom Cyber for helping PCI build this page.
Broad Cybersecurity Maturity Model Certification Information
Does PCI Offer Cybersecurity Training?
Yes! To see a list of our upcoming classes on cybersecurity, click here.
Are there any “official” FAQs from DoD about CMMC?
Yes! DoD published an FAQ on the Cybersecurity Maturity Model Certification. You can find it by visiting the DoD CIO’s website (https://dodcio.defense.gov/) and clicking on CMMC –> FAQ in the toolbar, or you can get to it directly by clicking here: CMMC FAQs. DoD also publishes the DoD Procurement Toolbox and has published a CMMC FAQ there.
Where can I find authoritative or relevant CMMC documents?
The government has published several resources that can help you with your Cybersecurity Maturity Model Certification journey.
Name/Short Description | Link | Description/Relevance to the CMMC Program |
Basic Safeguarding of Covered Contractor Information Systems | FAR 52.204-21 | Identifies a baseline set of requirements which must be implemented by all government contractors. These are the basis for CMMC Level 1. |
CUI Program Creation | Executive Memorandum 20080509-06 | Executive Memorandum which established a process for standardizing how federal government agencies identify and handle sensitive, unclassified information and defines Controlled Unclassified Information (“CUI”). |
CUI Program Authorization | Executive Order 13556 | Executive Order 13556 restructured the initial CUI program based on lessons learned. Authorizes the National Archives and Records Administration (“NARA”) to establish a government-wide CUI program. |
Government-wide CUI Program | 32 CFR 2002 | 32 CFR 2002 is the regulation promulgated by NARA which defines the government-wide CUI program. Ensuring the government’s information, including CUI, is properly safeguarded is a primary basis for DoD’s implementation of the CMMC program. |
DoD CUI Program | DoDI 5200.48 | 32 CFR 2002 defines the CUI program that must be implemented by all federal agencies. However, each agency has the latitude to implement the requirements in 32 CFR 2002 as appropriate for their agency. DoD’s CUI program (i.e., its implementation of the requirements in 32 CFR 2002) is defined in DoDI 5200.48. |
Distribution Statements on DoD Technical Information | DoDI 5230.24 | As discussed in more detail elsewhere in these FAQs, one way for information to become CUI is for a law, regulation, or government-wide policy to allow or require the implementation of limited dissemination controls on that information. DFARS 252.204-7012 (a regulation) defines a form of CUI called Controlled Technical Information (“CTI”). The basis for identifying CTI is whether the information would qualify for at least one of distribution statements B through F in DoDI 5230.24. |
NIST SP 800-171 Rev. 2 | Protecting CUI in Nonfederal Systems | 32 CFR 2002 (the government-wide CUI program) specifies that NIST SP 800-171 is to be used as the requirements for safeguarding CUI in non-federal information systems. Non-federal information systems are computer/IT equipment that is not managed by or on behalf of the government. |
NIST SP 800-171A | Assessing Security Requirements for Controlled Unclassified Information | NIST SP 800-171A is the official assessment guide for determining compliance with the safeguarding requirements in NIST SP 800-171. Compliance with the 110 requirements in NIST SP 800-171 is demonstrated by ensuring that your organization meets all 320 assessment objectives in NIST SP 800-171A. |
NIST SP 800-172 | Enhanced Security Requirements for Protecting Controlled Unclassified Information | If your organization is a prime contractor handling a large amount of CUI, you may need to meet the requirements in NIST SP 800-172 in addition to those in NIST SP 800-171. |
NIST SP 800-172A | Assessing Enhanced Security Requirements for Controlled Unclassified Information | NIST SP 800-172A is the official assessment guide for NIST SP 800-172. |
CMMC Program Rule | 32 CFR 170 | The Cybersecurity Maturity Model Certification (“CMMC”) program is implemented across several regulations. However, the primary definition of the CMMC program is in 32 CFR 170. |
Compliance with Safeguarding Covered Defense Information Controls | DFARS 252.204-7008 | By signing a contract that includes DFARS 252.204-7008, a contractor is representing that it will (or has) “implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 … that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.” |
Safeguarding Covered Defense Information and Cyber Incident Reporting. | DFARS 252.204-7012 | Imposes safeguarding and incident reporting requirements on any non-federal information system that will be used to store, process, or transmit CUI. This clause must be flowed down by prime contractors to all subcontractors, at all tiers, who handle CUI except contractors providing commercially available off-the-shelf products. |
Class Deviation—Safeguarding Covered Defense Information and Cyber Incident Reporting | DARS Tracking Number 2024-O0012 | Both DFARS 252.204-7008 and DFARS 252.204-7012 require implementation of the requirements specified in the version of NIST SP 800-171 “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” NIST released NIST SP 800-171 Rev. 3 in early 2024. However, much of the CMMC Program Rule is specifically tied to NIST SP 800-171 Rev. 2 (the previous version). This Class Deviation alters the language in DFARS 252.204-7012 to allow contractors to focus on compliance with NIST SP 800-171 Rev. 2. |
Notice of NIST SP 800-171 DoD Assessment Requirements | DFARS 252.204-7019 | Requires contractors who handle CUI to: * conduct a self-assessment of their information security program against the requirements in NIST SP 800-171; * calculate a score using the NIST SP 800-171 DoD Assessment Methodology; and, * submit the score to DoD’s Supplier Performance Risk System (“SPRS”).This clause must be flowed down by prime contractors to all subcontractors, at all tiers, who handle CUI except contractors providing commercially available off-the-shelf products. |
NIST SP 800–171 DoD Assessment Methodology | NIST SP 800–171 DoD Assessment Methodology | The scoring methodology used to calculate a score which a contractor submits to SPRS. |
NIST SP 800-171DoD Assessment Requirements | DFARS 252.204-7020 | Allows DoD to audit contractors, at any tier, to confirm their compliance with the CUI safeguarding requirements as represented by the score they submitted to SPRS. This clause must be flowed down by prime contractors to all subcontractors, at all tiers, who handle CUI except contractors providing commercially available off-the-shelf products. |
Cybersecurity Maturity Model Certification Requirements. | DFARS 252.204-7021 | Imposes CMMC requirements on all contractors. This clause must be flowed down to all subcontractors, at all tiers, except contractors providing commercially available off-the-shelf items. |
Notice on the Use of the Supplier Performance Risk System. | DFARS 252.204-7024 | This provision provides notice to contractors that DoD Contracting Officers will use the information in SPRS, including supplier risk information, to evaluate proposals and when awarding a contract. |
CMMC 101 Brief | CMMC 101 Brief | A presentation prepared by DoD which summarizes the CMMC program. |
CMMC Overview Briefing (Audio) | CMMC Overview Briefing (Audio) | An audio-only briefing which describes highlights of the CMMC program. |
CMMC Model Overview | CMMC Program Model Overview | A document prepared by DoD which describes the CMMC program in detail. |
CMMC Level 1 Scoping Guidance | CMMC Level 1 Scoping Guidance | Provides guidance on determining what assets from the organization’s information system will be “in scope” (i.e., assessed as part of) for a CMMC Level 1 assessment. |
CMMC Level 1 Self-Assessment Guide | CMMC Level 1 Self-Assessment Guide | Provides the set of assessment criteria which must be used during a CMMC Level 1 Self-Assessment. |
CMMC Level 2 Scoping Guidance | CMMC Level 2 Scoping Guidance | Provides guidance on determining what assets from the organization’s information system will be “in scope” (i.e., assessed as part of) for CMMC Level 2 assessments, including self-assessments and third-party (C3PAO) assessments. |
CMMC Level 2 Assessment Guide | CMMC Level 2 Assessment Guide | Supplements NIST SP 800-171A to include additional clarifications, guidance, and interpretations by DoD. |
CMMC Level 3 Scoping Guidance | CMMC Level 3 Scoping Guidance | Provides guidance on determining what assets from the organization’s information system will be “in scope” (i.e., assessed as part of) for a CMMC Level 3 assessment. |
CMMC Level 3 Assessment Guide | CMMC Level 3 Assessment Guide | Supplements NIST SP 800-172A to include additional clarifications, guidance, and interpretations by DoD regarding the controls from NIST SP 800-172 that are assessed as part of a CMMC Level 3 assessment. |
CMMC Hashing Guide | CMMC Hashing Guide | At the end of an assessment, organizations are expected to “hash” the corresponding evidence. This helps ensure the integrity of the evidence (i.e., that the evidence has not been modified) while it is in the organization’s possession. Hashes are advanced mathematical functions which calculate unique “fingerprints” based on attributes of digital information. If evidence is modified or otherwise tampered with, the fingerprint from the hash function will be different, allowing for easy identification of “spoiled” evidence. |
Additional resources can be found on DoD’s CMMC Resources & Documentation page.
What is the Cybersecurity Maturity Model Certification (“CMMC”)?
CMMC is a program created by the United States Department of Defense (“DoD”) to help ensure government contractors and others who receive information from the government will properly safeguard that information.
Do CMMC requirements only apply to prime contractors?
No. Under the Cybersecurity Maturity Model Certification, prime contractors are required to “flow down” the CMMC requirements to all contractors who store, process, or transmit non-public government information, except those providing commercial off the shelf (“COTS”) items.
How does the CMMC program work?
The Cybersecurity Maturity Model Certification program involves the review of a contractor’s information security program against established requirements. The nature of the requirements vary depending on the sensitivity information the contractor handles.
Why do the CMMC requirements vary?
After the attacks of September 11, 2001, the federal government sought to encourage the free flow of information to appropriate persons. As part of this process, the government established four categories of information:
Category | Overview/Description | Safeguarding Requirements for Non-Federal Information Systems |
Classified Information | Information which has an impact on national security. | Defined in the National Industrial Security Program Operating Manual (“NISPOM”) |
Controlled Unclassified Information | Information created by or on behalf of the government which, although not classified, is still sensitive. This information is deemed sensitive because there is a law, regulation, or government-wide policy that requires or permits the application of a) safeguarding controls (above those defined in FAR 52.204-21) or b) limited dissemination controls. | Basic safeguarding requirements are defined in NIST SP 800-171. Additional safeguarding requirements may be imposed by the corresponding law, regulation, or government-wide policy. |
Federal Contract Information | All non-public information created by or on behalf of the government. | Defined in FAR 52.204-21. |
Public Information | Information which has been authorized for public release by an appropriate individual within the government. | None |
The federal government also recognized that:
- implementing information security inherently limits the free flow of information;
- there is an expense associated with implementing information security;
- it is not in taxpayers’ interest to safeguard all information as though it was Classified Information; and
- safeguarding all information as though it was Classified Information can be detrimental to national security.
The government therefore created different safeguarding requirements which must be in place in a non-federal information system before the corresponding type of information can be shared with a non-federal organization (e.g., a government contractor) while also not imposing unnecessary safeguarding requirements. This risk-based approach helps the government strike a balance between security and cost.
CMMC Level 1 represents DoD’s approach to ensuring that Federal Contract Information (“FCI”) is properly safeguarded consistent with the government-wide requirements. CMMC Level 2 represents DoD’s approach to ensuring Controlled Unclassified Information (“CUI”) is properly safeguarded consistent with the government-wide requirements. CMMC Level 3 represents DoD’s approach to ensuring that non-federal entities who handle highly sensitive CUI or large quantities of CUI are taking additional steps to safeguard that information consistent with the sensitivity of that information.
How are the CMMC requirements divided?
Cybersecurity Maturity Model Certification divides the safeguarding requirements into three “levels”. Level 1 is the most basic and applies to all government contractors. Level 2 applies only to government contractors who store, process, or transmit (i.e., “handle”) Controlled Unclassified Information (“CUI”). Level 3 applies only to prime contractors who aggregate large amounts of CUI or who handle especially sensitive CUI.
What is Federal Contract Information (“FCI”)?
Federal Contract Information is critical to understanding Cybersecurity Maturity Model Certification compliance. FCI is defined in the Federal Acquisition Regulations (“FAR”) 52.204-21(a) as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Put more simply, FCI is any non-public information that is created by or for the government.
What is Controlled Unclassified Information (“CUI”)?
Protecting Controlled Unclassified Information (CUI) is one of the core goals of the Cybersecurity Maturity Model Certification program. CUI is defined in 32 CFR 2002.4(h) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information…or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
What is the difference between CUI Basic and CUI Specified?
Understanding the Cybersecurity Maturity Model Certification means understanding different types of CUI. One fundamental attribute that makes information CUI is if there is a law, regulation, or government-wide policy (“LRGWP“) that requires or permits the information to be safeguarded or makes it subject to limited dissemination controls.
In some cases, the LRGWP includes specific safeguarding requirements or limited dissemination controls. When that is true, the information is considered “CUI Specified“.
If the LRGWP does not include specific safeguarding requirements (i.e., the LRGWP just says that the information must be safeguarded, but it does not say how), the information is considered “CUI Basic“.
How long does it take to get CMMC Level 2 certified?
The CMMC Level 2 C3PAO assessment generally plays out over the course of a few weeks. However, it is important to note that it may take longer in some instances.
The process begins when you engage the C3PAO. They will ask you to provide some fundamental information about your organization and its information security program. The C3PAO will perform a basic validation of the information you provide to ensure that you are ready for the assessment. There may be a cost associated with this review.
Once the C3PAO believes you are ready for an assessment, they will ask you to sign an agreement with them and they will put you in line for the assessment. Some C3PAOs are asking for a deposit when your place in line is reserved. The deposit is applied toward the cost of the assessment.
Within about 2 weeks of your assessment date, you will be asked to provide final versions of your assessment documentation. This includes your System Security Plan (“SSP”) and all corresponding evidence. The C3PAO’s assessment team will review the evidence prior to your assessment so they are familiar with the way your organization operates.
The actual assessment typically takes a few days to a week. It is a fairly intense and tedious process where the assessment team asks you to walk them through how your organization meets every Assessment Objective in NIST SP 800-171A. If your organization handles physical CUI, including paper CUI, CUI stored or processed on local computer equipment, or CUI stored on removable media, a physical site assessment will also be necessary.
That physical site assessment is often conducted during the assessment week, but may occur at another time based on the availability of your team, the availability of the C3PAO’s assessment team, and travel conditions.
Once the assessment is complete, if you have successfully demonstrated that you meet all of the requirements, the C3PAO’s team will typically issue the certification within 1-2 weeks.
How long does it take to prepare for a CMMC Level 2 assessment?
It depends on the maturity level of your organization’s information security program. If your organization is essentially starting from zero, the process can take 12-18 months. Organizations that have more mature information security programs find that it takes at least 3-6 months to implement a program this ready for a CMMC Level 2 assessment.
Using a consultant like Fathom Cyber can streamline the Level 2 assessment preparation process.
How much does a CMMC Level 2 certification cost?
There are a variety of factors that impact the cost of a CMMC Level 2 certification assessment.
Assessment Team Composition – Chief among these is that, according to requirements imposed by DoD, the C3PAO must assign an assessment team of at least three (3) people as part of the assessment. This includes a Lead CMMC Certified Assessor (“Lead CCA”), another CCA, and someone to provide Quality Assurance. While the Lead CCA and CCA can work in parallel on some of the preparatory aspects of the assessment, the entire assessment team will likely need to participate in the assessment.
Assessor Qualifications – DoD requires the individuals performing the Lead CCA, CCA, and QA roles to be highly skilled and have made significant time and financial investments to obtain numerous industry certifications. As a result, their billing rates are between $200 and $400 per hour.
C3PAO Accreditation – DoD is also imposing additional requirements on C3PAOs, including that they obtain formal accreditation under the International Standards Organization (“ISO”). This process requires significant investments of both time and money on the part of the C3PAO.
Travel – If the assessment team must visit your organization to perform a site assessment, you expect travel-related costs to increase the assessment cost.
As a result of these and other factors, even a simple CMMC Level 2 certification assessment will likely cost between $50,000 and $100,000. Assessments of more complex environments will likely be $100,000+.
What is “scope?”
CMMC involves the assessment of an organization’s information security program against a set of requirements. In some cases, at least some of the organization’s assets (i.e., its people, business processes, equipment/technology, and locations) may not handle any government information and therefore are not (or at least may not be) subject to assessment under CMMC. The set of assets that are subject to the CMMC assessment are referred to as being “in scope” for the assessment. Assets that are not assessed are considered “out of scope” of the assessment.
What are the CMMC implementation phases and when do they begin?
Section 170.3 of the CMMC Program Rule defines four implementation phases for CMMC:
Phase and Summary | Begins (estimated starting date) | Description |
Phase 1 – Self-Assessments | Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. (July 2025). | DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts. |
Phase 2 – CMMC Level 2 (C3PAO) Certification Assessments | Begins one calendar year following the start date of Phase 1. (July 2026). | In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts. |
Phase 3 – CMMC Level 3 (DIBCAC) Certification Assessments | Begins one calendar year following the start date of Phase 2. (July 2027) | In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award. |
Phase 4 – Full Implementation | Begins one calendar year following the start date of Phase 3. (July 2028) | DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4. |
When can a company self-assess under CMMC?
It depends on the CMMC Level that you are required to meet and the current CMMC implementation phase.
CMMC Level | CMMC Implementation Phase | Is Self-Assessment Allowed? |
CMMC Level 1 | All | Yes. Always. |
CMMC Level 2 | Phase 1 (~Jul. 2025-Jun. 2026) | Yes. However, proposals of organizations with CMMC certifications may be given higher weight during proposal reviews. Also, DoD reserves the right to require CMMC certifications for certain procurements. |
CMMC Level 2 | Phase 2 (~Jul. 2026 – Jun. 2027) | In most cases, no. For new contracts, DoD expects that only ~5% of new procurements that involve the handling of CUI will allow contractors to self-assess. The remaining procurements (>95%) that involve the handling of CUI will include CMMC Level 2 (C3PAO) Certification requirements for all contractors who will handle CUI. |
CMMC Level 2 | Phases 3 and 4 (after ~Jul. 2027) | In most cases, no. In addition to including CMMC Level 2 (C3PAO) certification requirements in all new contracts that involve the handling of CUI, DoD will also include CMMC Level 2 (C3PAO) certification requirements when exercising contract options or modifying contracts. As with Phase 2, DoD estimates that only a small percentage of procurements may allow self-assessment. |
CMMC Level 3 | All Phases | No. Self-assessments are not permitted. |
Cybersecurity Maturity Model Certification Level 1 Information
What is Federal Contract Information (“FCI”)?
FCI is defined in the Federal Acquisition Regulations (“FAR”) 52.204-21(a) as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Put more simply, FCI is any non-public information that is created by or for the government.
What is “scope?”
CMMC involves the assessment of an organization’s information security program against a set of requirements. In some cases, at least some of the organization’s assets (i.e., its people, business processes, equipment/technology, and locations) may not handle any government information and therefore are not (or at least may not be) subject to assessment under CMMC. The set of assets that are subject to the CMMC assessment are referred to as being “in scope” for the assessment. Assets that are not assessed are considered “out of scope” of the assessment.
What assets are “in scope” for a CMMC Level 1 assessment?
At CMMC Level 1, the only assets that are in scope for assessment are those that store, process, or transmit Federal Contract Information (“FCI”). The CMMC Level 1 Scoping Guide has more details.
What are the CMMC Level 1 requirements?
The CMMC Level 1 requirements are defined in FAR 52.204-21. They are listed below. HOWEVER, it is important to note that, when conducting a CMMC Level 1 self-assessment, you must assess your system not only against the 15 requirements below. You must justify determining that you meet a requirement by also determining that you meet each Assessment Objective associated with that requirement. These Assessment Objectives are defined in the CMMC Level 1 Assessment Guide (and were borrowed from the corresponding requirements in NIST SP 800-171A).
The FAR 52.204-21 requirements are:
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
When can a company self-assess under CMMC?
It depends on the CMMC Level that you are required to meet and the current CMMC implementation phase.
CMMC Level | CMMC Implementation Phase | Is Self-Assessment Allowed? |
CMMC Level 1 | All | Yes. Always. |
CMMC Level 2 | Phase 1 (~Jul. 2025-Jun. 2026) | Yes. However, proposals of organizations with CMMC certifications may be given higher weight during proposal reviews. Also, DoD reserves the right to require CMMC certifications for certain procurements. |
CMMC Level 2 | Phase 2 (~Jul. 2026 – Jun. 2027) | In most cases, no. For new contracts, DoD expects that only ~5% of new procurements that involve the handling of CUI will allow contractors to self-assess. The remaining procurements (>95%) that involve the handling of CUI will include CMMC Level 2 (C3PAO) Certification requirements for all contractors who will handle CUI. |
CMMC Level 2 | Phases 3 and 4 (after ~Jul. 2027) | In most cases, no. In addition to including CMMC Level 2 (C3PAO) certification requirements in all new contracts that involve the handling of CUI, DoD will also include CMMC Level 2 (C3PAO) certification requirements when exercising contract options or modifying contracts. As with Phase 2, DoD estimates that only a small percentage of procurements may allow self-assessment. |
CMMC Level 3 | All Phases | No. Self-assessments are not permitted. |
Is it wise for my organization to rely on a self-assessment?
That is a difficult question to answer. Although self-assessments are acceptable at CMMC Level 1, at CMMC Level 2 during Phase 1, and in limited circumstances for CMMC Level 2 during Phases 2-4, there are advantages to having a third party conduct the assessment. For example, many prime contractors and other clients will feel more confident in the assessment results if they are conducted by a third party. In addition, using a third party to conduct the assessment can reduce the likelihood of False Claims Act or other claims being levied against your organization. Ultimately, this is a risk-based decision that your organization must make.
Cybersecurity Maturity Model Certification Level 2 Information
What is Controlled Unclassified Information (“CUI”)?
CUI is defined in 32 CFR 2002.4(h) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information…or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
How long does it take to get CMMC Level 2 certified?
The CMMC Level 2 C3PAO assessment generally plays out over the course of a few weeks. However, it is important to note that it may take longer in some instances.
The process begins when you engage the C3PAO. They will ask you to provide some fundamental information about your organization and its information security program. The C3PAO will perform a basic validation of the information you provide to ensure that you are ready for the assessment. There may be a cost associated with this review.
Once the C3PAO believes you are ready for an assessment, they will ask you to sign an agreement with them and they will put you in line for the assessment. Some C3PAOs are asking for a deposit when your place in line is reserved. The deposit is applied toward the cost of the assessment.
Within about 2 weeks of your assessment date, you will be asked to provide final versions of your assessment documentation. This includes your System Security Plan (“SSP”) and all corresponding evidence. The C3PAO’s assessment team will review the evidence prior to your assessment so they are familiar with the way your organization operates.
The actual assessment typically takes a few days to a week. It is a fairly intense and tedious process where the assessment team asks you to walk them through how your organization meets every Assessment Objective in NIST SP 800-171A. If your organization handles physical CUI, including paper CUI, CUI stored or processed on local computer equipment, or CUI stored on removable media, a physical site assessment will also be necessary.
That physical site assessment is often conducted during the assessment week, but may occur at another time based on the availability of your team, the availability of the C3PAO’s assessment team, and travel conditions.
Once the assessment is complete, if you have successfully demonstrated that you meet all of the requirements, the C3PAO’s team will typically issue the certification within 1-2 weeks.
How long does it take to prepare for a CMMC Level 2 assessment?
It depends on the maturity level of your organization’s information security program. If your organization is essentially starting from zero, the process can take 12-18 months. Organizations that have more mature information security programs find that it takes at least 3-6 months to implement a program this ready for a CMMC Level 2 assessment.
Using a consultant like Fathom Cyber can streamline the Level 2 assessment preparation process.
How much does a CMMC Level 2 certification cost?
There are a variety of factors that impact the cost of a CMMC Level 2 certification assessment.
Assessment Team Composition – Chief among these is that, according to requirements imposed by DoD, the C3PAO must assign an assessment team of at least three (3) people as part of the assessment. This includes a Lead CMMC Certified Assessor (“Lead CCA”), another CCA, and someone to provide Quality Assurance. While the Lead CCA and CCA can work in parallel on some of the preparatory aspects of the assessment, the entire assessment team will likely need to participate in the assessment.
Assessor Qualifications – DoD requires the individuals performing the Lead CCA, CCA, and QA roles to be highly skilled and have made significant time and financial investments to obtain numerous industry certifications. As a result, their billing rates are between $200 and $400 per hour.
C3PAO Accreditation – DoD is also imposing additional requirements on C3PAOs, including that they obtain formal accreditation under the International Standards Organization (“ISO”). This process requires significant investments of both time and money on the part of the C3PAO.
Travel – If the assessment team must visit your organization to perform a site assessment, you expect travel-related costs to increase the assessment cost.
As a result of these and other factors, even a simple CMMC Level 2 certification assessment will likely cost between $50,000 and $100,000. Assessments of more complex environments will likely be $100,000+.
What is “scope?”
CMMC involves the assessment of an organization’s information security program against a set of requirements. In some cases, at least some of the organization’s assets (i.e., its people, business processes, equipment/technology, and locations) may not handle any government information and therefore are not (or at least may not be) subject to assessment under CMMC. The set of assets that are subject to the CMMC assessment are referred to as being “in scope” for the assessment. Assets that are not assessed are considered “out of scope” of the assessment.
What assets are “in scope” for a CMMC Level 2 assessment?
At Cybersecurity Maturity Model Certification (CMMC) Level 2, DoD breaks the organization’s assets into five different categories:
Asset Category | Asset Description | OSA Requirements | CMMC Assessment Requirements |
Controlled Unclassified Information (CUI) Assets | Assets that process, store, or transmit CUI | o Document in the asset inventory o Document asset treatment in the System Security Plan (SSP) o Document in the network diagram of the CMMC Assessment Scope o Prepare to be assessed against CMMC Level 2 security requirements | Assess against all Level 2 security requirements |
Security Protection Assets | Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope | o Document in the asset inventory o Document asset treatment in SSP o Document in the network diagram of the CMMC Assessment Scope o Prepare to be assessed against | Assess against Level 2 security requirements that are relevant to the capabilities provided |
Contractor Risk Managed Assets | o Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. o Assets are not required to be | o Document in the asset inventory o Document asset treatment in the SSP o Document in the network diagram of the CMMC Assessment Scope o Prepare to be assessed against CMMC Level 2 security requirements | Review the SSP: i. If sufficiently documented, do not assess against other ii. If OSA’s risk-based security policies, procedures, and iii. The limited check(s) shall not materially increase the assessment duration nor the assessment cost iv. The limited check(s) will be assessed against CMMC security requirements |
Specialized Assets | Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment | o Document in the asset inventory o Document asset treatment in the SSP – Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices o Document in the network diagram of the CMMC Assessment Scope | o Review the SSP o Do not assess against other CMMC security requirements |
Out-of-Scope Assets | o Assets that cannot process, store, or transmit CUI; and do not provide security protections for CUI Assets o Assets that are physically or logically separated from CUI assets o Assets that fall into any in scope asset category cannot be considered an Out-of-Scope Asset o An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset | Prepare to justify the inability of an Out-of-Scope Asset to store, process, or transmit CUI | None |
The CMMC Level 2 Scoping Guide has additional information about scoping a CMMC Level 2 assessment.
When can a company self-assess under CMMC?
It depends on the CMMC Level that you are required to meet and the current CMMC implementation phase.
CMMC Level | CMMC Implementation Phase | Is Self-Assessment Allowed? |
CMMC Level 1 | All | Yes. Always. |
CMMC Level 2 | Phase 1 (~Jul. 2025-Jun. 2026) | Yes. However, proposals of organizations with CMMC certifications may be given higher weight during proposal reviews. Also, DoD reserves the right to require CMMC certifications for certain procurements. |
CMMC Level 2 | Phase 2 (~Jul. 2026 – Jun. 2027) | In most cases, no. For new contracts, DoD expects that only ~5% of new procurements that involve the handling of CUI will allow contractors to self-assess. The remaining procurements (>95%) that involve the handling of CUI will include CMMC Level 2 (C3PAO) Certification requirements for all contractors who will handle CUI. |
CMMC Level 2 | Phases 3 and 4 (after ~Jul. 2027) | In most cases, no. In addition to including CMMC Level 2 (C3PAO) certification requirements in all new contracts that involve the handling of CUI, DoD will also include CMMC Level 2 (C3PAO) certification requirements when exercising contract options or modifying contracts. As with Phase 2, DoD estimates that only a small percentage of procurements may allow self-assessment. |
CMMC Level 3 | All Phases | No. Self-assessments are not permitted. |
Is it wise for my organization to rely on a self-assessment?
That is a difficult question to answer. Although self-assessments are acceptable at CMMC Level 1, at CMMC Level 2 during Phase 1, and in limited circumstances for CMMC Level 2 during Phases 2-4, there are advantages to having a third party conduct the assessment. For example, many prime contractors and other clients will feel more confident in the assessment results if they are conducted by a third party. In addition, using a third party to conduct the assessment can reduce the likelihood of False Claims Act or other claims being levied against your organization. Ultimately, this is a risk-based decision that your organization must make.
Cybersecurity Maturity Model Certification Level 3 Information
What is “scope?”
CMMC involves the assessment of an organization’s information security program against a set of requirements. In some cases, at least some of the organization’s assets (i.e., its people, business processes, equipment/technology, and locations) may not handle any government information and therefore are not (or at least may not be) subject to assessment under CMMC. The set of assets that are subject to the CMMC assessment are referred to as being “in scope” for the assessment. Assets that are not assessed are considered “out of scope” of the assessment.
When can a company self-assess under CMMC?
It depends on the Cybersecurity Maturity Model Certification (CMMC) Level that you are required to meet and the current CMMC implementation phase.
CMMC Level | CMMC Implementation Phase | Is Self-Assessment Allowed? |
CMMC Level 1 | All | Yes. Always. |
CMMC Level 2 | Phase 1 (~Jul. 2025-Jun. 2026) | Yes. However, proposals of organizations with CMMC certifications may be given higher weight during proposal reviews. Also, DoD reserves the right to require CMMC certifications for certain procurements. |
CMMC Level 2 | Phase 2 (~Jul. 2026 – Jun. 2027) | In most cases, no. For new contracts, DoD expects that only ~5% of new procurements that involve the handling of CUI will allow contractors to self-assess. The remaining procurements (>95%) that involve the handling of CUI will include CMMC Level 2 (C3PAO) Certification requirements for all contractors who will handle CUI. |
CMMC Level 2 | Phases 3 and 4 (after ~Jul. 2027) | In most cases, no. In addition to including CMMC Level 2 (C3PAO) certification requirements in all new contracts that involve the handling of CUI, DoD will also include CMMC Level 2 (C3PAO) certification requirements when exercising contract options or modifying contracts. As with Phase 2, DoD estimates that only a small percentage of procurements may allow self-assessment. |
CMMC Level 3 | All Phases | No. Self-assessments are not permitted. |