Guidance for Cybersecurity Maturity Model Certification

Supporting your journey to meet and maintain CMMC 2.0 compliance

Elevate Your CMMC Compliance from Basic to Advanced

Every organization that receives grants or contracts from the US Department of Defense (DoD) is required to meet CMMC requirements.

The CMMC combines various cybersecurity standards and best practices in an effort to ensure all contractors are successfully protecting sensitive information and are capable of adapting to new and evolving cyber threats. 

CMMC 2.0 has many requirements. Make sure you are ready for certification. Reach out to us for a CMMC 2.0 Compliance Assessment. 

CMMC 2.0 Is Here—We Can Help You Prepare for CMMC Readiness

CMMC 2.0 Regulation Guidance

You may be confused about the DoD contract requirements for moving to a CMMC 2.0 compliance program. We have the answers to your questions about when and how this will impact your organization, so you can stay CMMC compliant.

Customer-centric Approach

We understand the unique needs and challenges your organization faces in meeting CMMC 2.0 requirements—we are committed to delivering exceptional customer care that exceeds your expectations.

An Extension of Your CMMC Compliance Team

We view ourselves as your CMMC Compliance partner. When you work with CampusGuard, you get to know our team on a first-name basis. Our representatives are always available to support you however you need.

Access the CMMC Guide & Checklist

Is your organization ready for CMMC 2.0 compliance? Download our CMMC Guide and Checklist to access:

  • CMMC 2.0 Basics & Overview
  • The 3 CMMC Levels Explained
  • Getting Prepared for CMMC 2.0 Certification
  • CMMC 2.0 Frequently Asked Questions
  • CMMC Compliance Checklist & Sections for Notes
  • Additional Help & Resources
Download Now

CMMC 2.0 Compliance Checklist

The process of reaching your required level of CMMC 2.0 Compliance can be cumbersome. CampusGuard is here to guide your organization through the nuances, but here are some steps to get you started:

  • Decide on Maturity Level

    The type of information your organization handles and the size and sensitivity of the contracts in which you plan to participate will help you to establish which level of CMMC compliance you must achieve.
  • Determine Where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) Is Stored

    Finding where your organization is currently storing, using, or transmitting this data will help you better design a cohesive environmental scope.
  • Build an Environment for FCI and CUI

    Through the use of physical and logical separation, your organization will need to confine the spaces where FCI/CUI is stored, access, and shared.
  • Create Documentation Around Your Scope

    Complete documentation regarding the scope of your environment, exactly what falls into that scope, and who is responsible for each control within your System Security Plan (SSP) will need to be produced to your assessor.
  • Develop Staff Training on Best Practices

    During the process of developing your CMMC strategy, your organization will establish new policies for the use of FCI/CUI. All employees involved with the use of this information will need to be trained on these policies.
  • Conduct Assessment

    Assessing your SSP is the best way to find gaps in coverage and document your future plans to readdress them with a Plan of Action and Milestones (POAM).

For a more detailed CMMC 2.0 Checklist, check out this free download, Achieving CMMC Compliance Guide & Checklist.” This comprehensive guide provides in-depth information on CMMC 2.0, the Final Rule, the three maturity levels, answers to frequently asked questions, and an interactive checklist and useful templates to help you prepare for CMMC compliance.

Why Choose CampusGuard to Assist with CMMC Compliance Requirements?

At CampusGuard, we specialize in the intricacies and diverse environments of complex organizations needing to comply with CMMC 2.0. Our dedicated team prides itself on our expert accreditation, staying updated on the latest trends, and working alongside our clients with a personal approach.

Reach out to us to get started with a CMMC 2.0 Compliance Assessment.

$ 9.5 T

Estimated cost of cybercrime in 2024 (1)

300000

Companies within the Defense Industrial Base (2)

88 %

Of contractors have experienced loss from a cyber-incident (3)

Our Experts Are Ready to Assist You with CMMC 2.0 Compliance

As a CMMC Registered Provider Organization (RPO), CampusGuard is focused on assisting Organizations Seeking Certification (OSC’s) to prepare for CMMC 2.0 readiness. Reach out to us today to get started.

Get Started Today

Top CMMC Frequently Asked Questions

CMMC, or Cybersecurity Maturity Model Certification, is a framework created by the US Department of Defense (DoD) to ensure that companies and organizations that work with the DoD have appropriate cybersecurity controls and practices in place to protect sensitive information.

CMMC 2.0 eliminates Level 2 (Intermediate) and Level 4 (Proactive) from CMMC 1.0. CMMC Model 2.0 has three levels that connect to existing federal requirements that are already in place. Each level has a set of specific security requirements and processes that must be met in order to achieve certification.

CMMC certification is required for all organizations that do business with the DoD, including contractors and subcontractors. The certification process involves a third-party assessment of the organization's cybersecurity practices and controls, and certification is required for organizations to bid on and win contracts with the DoD.

All organizations that do business or receive grants with the United States Department of Defense (DoD) need to obtain CMMC certification if they want to be eligible to bid on and win DoD contracts. This includes prime contractors, subcontractors, suppliers, and vendors.

The new CMMC 2.0 has many requirements, including subcontractor compliance oversight and additional incident notifications.

Planning and setting the foundation for a successful CMMC certification is complex and takes time, so don’t wait, as new DOD contracts may require CMMC assessments as early as Q1 2025. As an RPO, CampusGuard can help you prepare!

The CMMC Program Final Rule was published on October 15, 2024, and became effective on December 16, 2024.

This rule requires all contractors within the Defense Industrial Base who manage Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to adhere to rigorous cybersecurity standards.

The phased implementation of CMMC as a contractual requirement is anticipated to begin in the third quarter of 2025.

Failing to be certified to the appropriate CMMC maturity level will disqualify an organization from being awarded defense contracts or research grants that include the CMMC requirement and could put DoD grant funding at risk for your institution.

In addition, non-compliance with the CMMC framework could also result in other consequences, such as increased cybersecurity risk, loss of customer trust, and potential legal and financial liabilities.

It's important to note that becoming CMMC compliant can be a complex and time-consuming process, depending on your organization's current cybersecurity practices and the level of certification required. Therefore, it's important to start planning and implementing the necessary changes as soon as possible to ensure that your organization is prepared to meet the CMMC requirements.

CMMC benefits include:

  • Protecting sensitive information to empower and safeguard the warfighter.
  • Upholding Defense Industrial Base (DIB) cybersecurity standards to address emerging threats.
  • Promoting accountability while reducing obstacles to compliance with DoD requirements.
  • Fostering a collaborative environment focused on cybersecurity and resilience.
  • Building public trust through exemplary professional and ethical standards.

CMMC 2.0 eliminates Level 2 (Intermediate) and Level 4 (Proactive) from CMMC 1.0. CMMC Model 2.0 has three levels that connect to existing federal requirements that are already in place:

    • Level 1: Foundational is aligned with FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (for companies with FCI only).
    • Level 2: Advanced is aligned with NIST SP 800-171: Protecting CUI in Nonfederal Systems, and also requires compliance with FAR 52.204-21 (for companies with CUI).
    • Level 3: Expert is aligned with NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information, and also requires compliance with FAR 52.204-21 and NIST SP 800-171 (for the highest priority programs with CUI).

There are many CMMC 2.0 requirements so it’s important to have a thorough understanding of the steps needed to prepare for compliance. As an RPO trained in the CMMC methodology, CampusGuard offers consultative services to our customers for CMMC readiness and assessment preparation. 

Download our free Achieving CMMC Compliance Guide & Checklist for more detailed steps and a CMMC Compliance Questionnaire, a CMMC Compliance Checklist, and areas for note taking. 

While the DoD contract will specify which level of compliance an individual contract needs to meet, going forward almost all companies doing business with the DoD will be required to be CMMC certified at one of the three CMMC levels.

If you handle CUI, will need to meet at least CMMC Level 2. Your research areas will need to review and understand the contracts you bid on and the types of information that will be handled. Level 3 requires all three methods of validation—interview, testing, and observation—to validate each control, so having that documentation in place is necessary to show your procedures are an effective and established part of your organization’s compliance environment.

Article CMMC

CMMC Level 2.0 Final Rule

Get the latest update about the CMMC 2.0 Final Rule and the steps your organization should be taking to be compliant.

CMMC 2.0 Requirements about the CMMC Level 2.0 Final Rule