LICENSED TRAINING PROVIDER (LTP)
CMMC accredited learning institution
"CMMC Certified Professionals" (CCP)
"CMMC Certified Assessors" (CCA) training
LICENSED PARTNER PUBLISHER (LPP)
CMMM accredited learning material
CMMC-AB Approved Training Material (CATM) for use by Certified LTPs
COMPTIA, ISC2 & ISACA
Self-Paced and Bootcamps
CompTIA, ISC2 & ISACA Self-Paced and Bootcamps
FREQUENTLY ASKED QUESTIONS
WHAT IS CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a standard for implementing cybersecurity measures across the Defense Industrial Base (DIB) supply chain.
WHAT IS THE PURPOSE OF CMMC?
The purpose of CMMC is to enhance the protection of Controlled Unclassified Information (CUI) within the DIB by ensuring that contractors implement appropriate cybersecurity controls and practices based on the sensitivity of the information they handle.
WHO NEEDS TO COMPLY WITH CMMC 2.0?
CMMC 2.0 is required of any defense contractor in the DOD supply chain. This includes prime contractors and subcontractors. The level of compliance is based on the type of information the company handles.
WHAT ARE THE THREE LEVELS OF CMMC 2.0?
The CMMC 2.0 model has three levels including:
Level 1 (Foundational)
Contractors must submit annual self-assessments to the DoD and comply with 17 NIST 800-171 controls
Level 2 (Advanced)
Contractors must undergo third-party assessments every three years and comply with 110 NIST 800-171 practices
Level 3 (Expert)
Contractors must comply with more than 110+ practices aligned with the requirements of NIST 800-172 and complete third-party assessments led by the government triennially
HOW DO YOU KNOW WHAT LEVEL OF CMMC COMPLIANCE IS NEEDED FOR MY COMPANY?
CMMC levels are defined at the contract level. The RFP (Request for Proposal) will declare what CMMC level is required at contract award.
The Program Managers (PM), Contracting Officers (CO) and Contracting Officers Technical Representative (COTR) are good references to understand specific contract requirements.
WHAT IS THE DIFFERENCE BETWEEN CMMC 1.0 AND 2.0
This new version of CMMC 2.0 contains a slimmed down version with three compliance levels
CMMC 2.0 Level 1 contains the same 17 practices
CMMC 2.0 Level 2 removed the “delta 20” extra practices
CMMC 2.0 Level 2 now contains 110 practices, each of which directly maps to the 110 controls found in NIST 800-171
CMMC 2.0 Level 3 combined CMMC 1.0 levels 4 and 5 into a single level
CMMC 2.0 Level 3 now contains all the controls mapped from NIST 800-172
WHAT IS THE DIFFERENCE BETWEEN NIST 800-171 AND NIST 800-172?
NIST 800-172 is a supplementary document to NIST SP 800-171. It is designed to help safeguard sensitive information on non-federal systems and applies to federal contractors that handle, process or store CUI on their networks.
WHAT IS THE DIFFERENCE BETWEEN CMMC 2.0 AND NIST 800-171?
CMMC 2.0 is an auditable implmentation of NIST 800-171. Unlike NIST 800-171, CMMC 2.0 outlines assessment requirements through third-party certifications. NIST 800-171 does not include any certification requirements.
WHAT IS CONTROLLED UNCLASSIFIED INFORMATION (CUI)?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.