Guidance for Cybersecurity Maturity Model Certification
Supporting your journey to meet and maintain CMMC 2.0 compliance
Elevate Your CMMC Compliance from Basic to Advanced
Every organization that receives grants or contracts from the US Department of Defense (DoD) is required to meet CMMC requirements.
The CMMC combines various cybersecurity standards and best practices in an effort to ensure all contractors are successfully protecting sensitive information and are capable of adapting to new and evolving cyber threats.
CMMC 2.0 has many requirements. Make sure you are ready for certification. Reach out to us for a CMMC 2.0 Compliance Assessment.
CMMC 2.0 Is Here—We Can Help You Prepare for CMMC Readiness
Access the CMMC Guide & Checklist
Is your organization ready for CMMC 2.0 compliance? Download our CMMC Guide and Checklist to access:
- CMMC 2.0 Basics & Overview
- The 3 CMMC Levels Explained
- Getting Prepared for CMMC 2.0 Certification
- CMMC 2.0 Frequently Asked Questions
- CMMC Compliance Checklist & Sections for Notes
- Additional Help & Resources
CMMC 2.0 Compliance Checklist
The process of reaching your required level of CMMC 2.0 Compliance can be cumbersome. CampusGuard is here to guide your organization through the nuances, but here are some steps to get you started:
-
Decide on Maturity Level
The type of information your organization handles and the size and sensitivity of the contracts in which you plan to participate will help you to establish which level of CMMC compliance you must achieve. -
Determine Where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) Is Stored
Finding where your organization is currently storing, using, or transmitting this data will help you better design a cohesive environmental scope. -
Build an Environment for FCI and CUI
Through the use of physical and logical separation, your organization will need to confine the spaces where FCI/CUI is stored, access, and shared. -
Create Documentation Around Your Scope
Complete documentation regarding the scope of your environment, exactly what falls into that scope, and who is responsible for each control within your System Security Plan (SSP) will need to be produced to your assessor. -
Develop Staff Training on Best Practices
During the process of developing your CMMC strategy, your organization will establish new policies for the use of FCI/CUI. All employees involved with the use of this information will need to be trained on these policies. -
Conduct Assessment
Assessing your SSP is the best way to find gaps in coverage and document your future plans to readdress them with a Plan of Action and Milestones (POAM).
For a more detailed CMMC 2.0 Checklist, check out this free download, “Achieving CMMC Compliance Guide & Checklist.” This comprehensive guide provides in-depth information on CMMC 2.0, the Final Rule, the three maturity levels, answers to frequently asked questions, and an interactive checklist and useful templates to help you prepare for CMMC compliance.
Why Choose CampusGuard to Assist with CMMC Compliance Requirements?
At CampusGuard, we specialize in the intricacies and diverse environments of complex organizations needing to comply with CMMC 2.0. Our dedicated team prides itself on our expert accreditation, staying updated on the latest trends, and working alongside our clients with a personal approach.
Reach out to us to get started with a CMMC 2.0 Compliance Assessment.
Related Products and Services
Our Experts Are Ready to Assist You with CMMC 2.0 Compliance
As a CMMC Registered Provider Organization (RPO), CampusGuard is focused on assisting Organizations Seeking Certification (OSC’s) to prepare for CMMC 2.0 readiness. Reach out to us today to get started.
Top CMMC Frequently Asked Questions
CMMC, or Cybersecurity Maturity Model Certification, is a framework created by the US Department of Defense (DoD) to ensure that companies and organizations that work with the DoD have appropriate cybersecurity controls and practices in place to protect sensitive information.
CMMC 2.0 eliminates Level 2 (Intermediate) and Level 4 (Proactive) from CMMC 1.0. CMMC Model 2.0 has three levels that connect to existing federal requirements that are already in place. Each level has a set of specific security requirements and processes that must be met in order to achieve certification.
CMMC certification is required for all organizations that do business with the DoD, including contractors and subcontractors. The certification process involves a third-party assessment of the organization's cybersecurity practices and controls, and certification is required for organizations to bid on and win contracts with the DoD.
All organizations that do business or receive grants with the United States Department of Defense (DoD) need to obtain CMMC certification if they want to be eligible to bid on and win DoD contracts. This includes prime contractors, subcontractors, suppliers, and vendors.
The new CMMC 2.0 has many requirements, including subcontractor compliance oversight and additional incident notifications.
Planning and setting the foundation for a successful CMMC certification is complex and takes time, so don’t wait, as new DOD contracts may require CMMC assessments as early as Q1 2025. As an RPO, CampusGuard can help you prepare!
The CMMC Program Final Rule was published on October 15, 2024, and became effective on December 16, 2024.
This rule requires all contractors within the Defense Industrial Base who manage Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to adhere to rigorous cybersecurity standards.
The phased implementation of CMMC as a contractual requirement is anticipated to begin in the third quarter of 2025.
Failing to be certified to the appropriate CMMC maturity level will disqualify an organization from being awarded defense contracts or research grants that include the CMMC requirement and could put DoD grant funding at risk for your institution.
In addition, non-compliance with the CMMC framework could also result in other consequences, such as increased cybersecurity risk, loss of customer trust, and potential legal and financial liabilities.
It's important to note that becoming CMMC compliant can be a complex and time-consuming process, depending on your organization's current cybersecurity practices and the level of certification required. Therefore, it's important to start planning and implementing the necessary changes as soon as possible to ensure that your organization is prepared to meet the CMMC requirements.
CMMC benefits include:
- Protecting sensitive information to empower and safeguard the warfighter.
- Upholding Defense Industrial Base (DIB) cybersecurity standards to address emerging threats.
- Promoting accountability while reducing obstacles to compliance with DoD requirements.
- Fostering a collaborative environment focused on cybersecurity and resilience.
- Building public trust through exemplary professional and ethical standards.
CMMC 2.0 eliminates Level 2 (Intermediate) and Level 4 (Proactive) from CMMC 1.0. CMMC Model 2.0 has three levels that connect to existing federal requirements that are already in place:
-
- Level 1: Foundational is aligned with FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (for companies with FCI only).
- Level 2: Advanced is aligned with NIST SP 800-171: Protecting CUI in Nonfederal Systems, and also requires compliance with FAR 52.204-21 (for companies with CUI).
- Level 3: Expert is aligned with NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information, and also requires compliance with FAR 52.204-21 and NIST SP 800-171 (for the highest priority programs with CUI).
There are many CMMC 2.0 requirements so it’s important to have a thorough understanding of the steps needed to prepare for compliance. As an RPO trained in the CMMC methodology, CampusGuard offers consultative services to our customers for CMMC readiness and assessment preparation.
Download our free Achieving CMMC Compliance Guide & Checklist for more detailed steps and a CMMC Compliance Questionnaire, a CMMC Compliance Checklist, and areas for note taking.
While the DoD contract will specify which level of compliance an individual contract needs to meet, going forward almost all companies doing business with the DoD will be required to be CMMC certified at one of the three CMMC levels.
If you handle CUI, will need to meet at least CMMC Level 2. Your research areas will need to review and understand the contracts you bid on and the types of information that will be handled. Level 3 requires all three methods of validation—interview, testing, and observation—to validate each control, so having that documentation in place is necessary to show your procedures are an effective and established part of your organization’s compliance environment.
CMMC Level 2.0 Final Rule
Get the latest update about the CMMC 2.0 Final Rule and the steps your organization should be taking to be compliant.
CMMC 2.0 Requirements about the CMMC Level 2.0 Final Rule