Skip links

A Comprehensive CMMC Assessment Guide

CMMC Assessment Guide

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.19.5″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]

CMMC Assessment Guide

Doing business with the Department of Defense (DoD) carries a great many opportunities and can be quite lucrative to those chosen few who meet their stringent requirements, but it requires a minimum level of security for the Contractor to have in place. The DoD will start requiring contractors who deal with sensitive information to be Cybersecurity Maturity Model Certification (CMMC) compliant.

CMMC at its core defines specific areas of cybersecurity that a contractor’s systems must implement to ensure the data being handled is secure. Considering the specific and all-encompassing nature of the CMMC, many technology contractors choose to simplify things by following a CMMC assessment guide like this one to better understand the CMMC levels and cybersecurity criteria defined by the DoD.

Unlike most frameworks used for compliance or to adhere to specific regulations within various industries, CMMC assessments are mandatory to complete before being able to bid on contracts to work with the DoD or the Defense Industrial Base (DIB).

There are three CMMC levels with each one having its own set of requirements. This CMMC guide was published to help you gain a better understanding of the current, but changing CMMC layout and requirements.


Some Extra CMMC Guidance: Explaining the New CMMC 2.0

The Department of Defense (DoD) is constantly evolving and updating its standards for cybersecurity requirements. And the newest update to those requirements comes in the form of CMMC 2.0 – a comprehensive set of new standards focused around Controlled Unclassified Information (CUI) that all technology contractors must abide by in order to do business with the DoD.

At its core, CMMC 2.0 is an exhaustive framework that outlines a vast array of specific cybersecurity practices, including things like vulnerability management, security awareness training, and incident response protocols. This makes it essential for any contractor bidding on DoD projects to be familiar with these guidelines if they want to stand a chance at securing lucrative contracts.


A Full Breakdown of the 3 CMMC Levels

The required level of CMMC compliance a current or prospective contractor must have is determined by the amount of CUI they have contact with as well as the nature of that CUI. What was once 5 levels of compliance under the old CMMC 1.0 framework has now been streamlined into only 3 CMMC levels.

Be Prepared for Anything with a Leading Cybersecurity Expert on Your Team

Our proven security management framework ensures the highest level of cybersecurity protection.

Learn More


Essentially, the new 2.0 model eliminates the old 2 and 4 levels, and CMMC Maturity Level 1 (Foundational) remains the same as it was (containing the 17 practice requirements that line up with the 15 data security practices from FAR 52.204-21).

The current Maturity Level 2 (Advanced) replaces the old Maturity Level 3 and is aligned with the NIST SP 800-171 practices (and no longer incorporates the Delta 20 practices).

Finally, the new Maturity Level 3 (Expert) replaces the old Levels 4 and 5 and is modeled after a  subset of NIST 800-172.

One thing that’s important to note is that compliance to these levels doesn’t necessarily have to apply to every aspect of your organization, only those sections that deal with networks and data systems wherein CUI is generated, processed, moved or stored.


Your CMMC Assessment Guide for Understanding the 3 Main Assessment Types

Depending on the type of information your organization deals with, you will be required to either perform a self-assessment, a third-party assessment, OR a government-performed assessment before being eligible to receive a DoD contract. Each DoD contract will require working with sensitive information, and therefore, it will be the DoD contracts themselves that will set the level of compliance required for each contractor organization. Once contracts begin requiring CMMC 2.0 certification, it would be best for contractors to have already performed the self assessment for at least Level 1 maturity.

The breakdown is as follows:

  • If the information and systems a contractor handles is labeled critical to national security and falls under Maturity Level 1 (and/or a subset of Level 2) you will need to perform a self-assessment.
  • Contractors dealing with info also determined to be critical to national security failing under sections of Level 2 must conduct a third-party assessment.
  • And finally, a government-led assessment is done for contractors who are or will be handling the most sensitive and critical information belonging to defense programs.


Performing a CMMC Self Assessment

Level 1 Maturity = Annual Self Assessment

Since most contractors or aspiring contractors will only need Level 1 Maturity, most contractors will need to perform a self assessment. This is where CP Cyber can be most effective in providing a service. We have expertise in guiding small and medium businesses through the self assessment process. With our guidance, we are able to answer any questions you have throughout the process and can help you avoid issues that contractors normally come across.

The DoD’s implementation of CMMC 2.0 is a notable shift in cybersecurity standards for contractors, with Level 1 certification shifting to self-attestation and the introduction of Foundational requirements that prioritize basic cyber hygiene.

This approach broadens opportunities for companies to take ownership over their security controls and posture before engaging third parties who can help them rise above standard protocol – which will be especially important when handling sensitive information at higher Levels (2 & 3). Ultimately this opens up vendors of all sizes to safeguard assets from malicious actors and comply fully with federal regulations on national defense data protection protocols.

Companies must go through a rigorous annual self-assessment process, signifying that their operations have met the requirements established by senior leadership. Moreover, to ensure this is done properly and systematically, companies need to register these assessments in Government agency SPRS so they can be reviewed adequately.


An Overview of Third-Party Assessments

Level 2 Maturity = Triennial Third-Party Assessment

Once fully implemented, CMMC 2.0 promises to bring advanced cyber security standards to contractors involved with acquisitions which handle information of critical national security importance.

Learn These Inside-Industry Cybersecurity Best Practices Today:


In order to meet these important new requirements, contractors must obtain third-party assessments from the CMMC Accreditation Body (CMMC-AB). Specifically, government approved Third-Party Assessment Organizations (C3PAOs) will carry out the assessments. There are a very limited number of C3PAO assessment companies, which in turn restricts the number of companies that can be able to obtain this level of certification. This level of certification would only be needed by larger contractor organizations, not typically small or medium sized businesses. 

If a company is attempting to reach this level of compliance, it would be important to perform a pre-assessment to gather evidence and document how requirements are being fulfilled prior to enlisting a 3PAO assessment company. CP Cyber can aid in this planning and preparation stage so that the 3PAO assessment can be done quickly and without surprises..

Once complete, the C3PAOs need to provide the Department of Defense with an assessment report, thus ensuring these important security standards take effect quickly and securely. The end result is being listed in the CMMC-AB marketplace.


Government Assessments

Level 3 Maturity = Triennial Government Assessment

This level of maturity will be the most difficult to obtain and is not feasible to expect small or medium sized business to obtain. Likewise, the contracts that require this level of maturity would not typically be filled by small or medium sized businesses. 

Meeting Level 3 cyber security needs can be daunting, even for the most expert organizations. That’s why those organizations now have to be assessed directly by government officials in order to make sure that they meet all the latest and best requirements. 

The government is currently in the process of developing these specifics, ensuring that organizations have clear guidelines to follow when protecting their cyber infrastructure.

CMMC Guidance


Getting Help from CP Cyber with Your CMMC Assessment Guide

Does your organization require a third-party CMMC assessment or help getting your cyber security measures up to compliance readiness?

At CP Cyber, our team of seasoned professionals has the expertise to keep your organization safe from cyber threats. 

Our impressive roster includes US Armed Forces veterans, former NSA and FBI personnel, IT auditors from top-tier firms like Big 4; plus Federal Government contractors who together bring a whopping 45 years’ worth of experience in penetration testing and information security assessments. 

With certifications such as Certified Ethical Hacker (CEH) or Certified Penetration Tester (CPT), we are fully capable for conducting compliance audits related to international standards including NIST 800-53, ISO 27001/27002/3/4/5 etc., Sarbanes Oxley 404 & PCI – ensuring maximum protection against data breaches so you can rest assured that all confidential information is safeguarded.

Set up a free consultation with us today to see how we can meet your needs and exceed your expectations.


Share the Post: