Navigate the complex requirements of Cybersecurity Maturity Model Certification (CMMC) 2.0 with guidance that ensures your compliance with with NIST 800-171, DFARS 7012, and CMMC Requirements.
CMMC 2.0 follows NIST SP 800-171 as its core framework, encompassing 110 security controls designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Actual conformance is measured against NIST SP 800-171A, which defines 320 specific Assessment Objectives. Each objective requires documented evidence including documentation (policies, procedures, and other documentation), screenshots, and system artifacts.
Level 2 certification requires formal engagement with a C3PAO (Certified Third-Party Assessment Organization) after establishing foundational compliance components.
Protects Federal Contract Information (FCI) with basic safeguarding requirements. While self-assessment is permitted, comprehensive documentation and evidence collection is still required for validity.
Protects Controlled Unclassified Information (CUI) with advanced cybersecurity practices. Requires formal C3PAO assessment and ongoing compliance monitoring.
Each of the 320 Assessment Objectives defined in NIST SP 800-171A must be supported by tangible evidence, including documentation (policies and procedures), system screenshots, system artifacts, and physical reviews that provide supporting evidence of compliance during an assessment.
Ultimately, achieving certification, at Level 2, will require formal engagement with a C3PAO (Certified Third-Party Assessment Organization). However, that step is premature until the foundational components are in place, including a base line configuration of IT Assets, People, System Security Plan (SSP), complete assessment objective evidence, and a demonstrated track record of compliance over time.
