NIST / CMMC

Cybersecurity Maturity Model Certification



What is NIST / CMMC?

CMMC Compliance for Small Business

The launch of the Cybersecurity Maturity Model Certification (CMMC) program serves as an important and necessary step in the advancement of our country’s ability to protect its people, military, industry, and more. Threats to our country’s information grow by the day, and adversaries are becoming more capable.

For businesses working with the Department of Defense (DoD), the threat grows. To win government contracts, companies must implement various information security solutions and establish policies that promote action within their organizations.

The CMMC program was created after a major security breach involving contractors and subcontractors, which eventually affected the government agencies connected to them. This program is designed to strengthen the security of information shared between the Department of Defense and its contractors and subcontractors, giving the Department greater confidence that CUI is being properly protected. Read below to learn more about CMMC 2.0, NIST, and DFARS.

Get a Free Quote

CMMC 2.0 is Now Live

The long-awaited CMMC 2.0 is officially here, and key milestones are approaching. Here’s what you need to know to protect your business:

December 16, 2024: 32 CFR is live. CMMC Certification is now available from accredited C3PAOs. This allows you to be prepared for upcoming contractual requirements in defense contracts.
Early 2025: 48 CFR is finalized. CMMC requirements will appear in DoD contract solicitations, making compliance non-negotiable.
2025-2028: CMMC will phase into all new and renewed contracts.

These changes mean self-attestation is no longer enough. Businesses must undergo third-party assessments, a process that will scrutinize how your business is handling and protecting CUI.

If you have government contracts and/or handle FCI or CUI, we have programs to prepare them for their Certification.

Customer Reviews

Core supported us from the beginning. Our consultant Kaitlin, in particular, always gave us the attention we needed, kept us accountable for getting the project completed, and drove the process from start to finish. K. Lane - Lockers Manufacturing

Birdeye

Working with Bruce made gaining our ISO Certification very seamless. His knowledge and professionalism was greatly appreciated. I look forward to working with Bruce as we move into the next phase of our ISO journey. Charles W. - Stracpak

Birdeye

My experience with Ty Elliott at Core Business Solutions has been great. We feel very prepared for our audit. This was accomplished with Mr. Elliott leading us on the path with patience and knowledge. We felt confident through the entire process that we would be successful and would definitely recommend Core Business Solutions to anyone desiring to acquire their ISO certification. Joe B. - AMR Plastics Inc.

Birdeye

Great Experience. Extremely knowledgeable. Core made a difficult and demanding process simple. Christian W. - Accele

Birdeye

The Structure of CMMC

CMMC measures cybersecurity at 3 levels, from Foundational to Expert. Businesses handling only Federal Contract Information (FCI) will need Level 1. Businesses handling Controlled Unclassified Information (CUI) will need Level 2 certification. Level 3 is for highly sensitive CUI and will only be required for a small number of contractors.

Level 1 (Foundational)

17 Practices

For contractors who handle CUI
Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
Requires annual self-assessment submitted to Supplier Performance Risk System (SPRS) and affirmed by company leadership.

Level 2 (Advanced)

72 Practices

For contractors who handle CUI
Comply with the FAR

110 practices from NIST SP 800-171

Lower-priority acquisitions will require annual self-assessment submitted to SPRS and affirmed by company leadership.
Higher-priority acquisitions will require a third-party assessment every three years.

Level 3 (Expert)

130 Practices

For contractors who handle highly sensistive CUI
Comply with the FAR

110+ practices from NIST SP 800-171/172

Requires government assessment every three years.

Level 1

Foundational

Comply with the FAR

17 practices from NIST SP 800-171

Annual self-assessment affirmed by company leadership.

Level 2

Advanced

Comply with the FAR

Encompasses all practices from NIST SP 800-171r1

Annual self-assessment or triennial third-party assessement.

Level 3

Expert

Comply with the FAR

Encompasses all practices from NIST SP 800-171 and a subset from NIST SP 800-172

Requires assessment by government every three years

Source: CMMC Model v2.0 Approved for Public Release

CMMC 2.0

In November of 2021, the Department of Defense announced plans for an improved CMMC 2.0 program. The goal of 2.0 is to maintain the initial program while reducing compliance challenges as much as possible.

The CMMC 2.0 program has three key features:

Tiered Model:

The CMMC program outlines the process for protecting Controlled Unclassified Information (CUI) shared with the Defense Industrial Base (DIB). It requires companies handling national security information to meet cybersecurity standards at the appropriate level, based on the type and sensitivity of the information.

Assessment Requirement:

CMMC assessments allow the DoD to verify that the defined cybersecurity requirements have been met.

Implementation through Contracts:

Once CMMC is fully implemented and a contract has a CMMC requirement specified, contractors will be required to meet the appropriate CMMC level as a condition of contract award.

DFARS

What does DFARS Stand for?

DFARS stands for the Defense Acquisition Federal Regulation Supplement and was published in December 2015 by the U.S. Department of Defense (DoD). DFARS is supplementary to the FAR or Federal Acquisition Regulations. DFARS is a set of specific regulations for cybersecurity meant for DoD external contractors and suppliers.

Because of the ever-increasing cybersecurity threats, cybersecurity has become a significant priority for the US government. The primary goal of DFARS is to protect “Controlled Unclassified Information” (CUI) and require private government contractors and other non-government entities to update security systems and processes.

NIST

What Is NIST 800-171?

NIST stands for the National Institute of Standards and Technology and NIST 800-171 establishes a set of standards and is a collection of regulations to protect Controlled Unclassified Information in Non-Federal Information Systems and Organizations. These sets of standards are applied to safeguarding and distributing information like personal information or intellectual property that is regarded as sensitive but not classified.

Compliance with the most recent revision of NIST 800-171 requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to implement security procedures when handling controlled unclassified Information.

NIST Compliance is demonstrated with the use of a self-assessment against the 110 requirements outlined in NIST 800-171. Every one of the NIST controls has a weighted value associated with it.

It’s either one point, three points, or five points. So you could have at best, a positive score of 110 or at worst, a negative 203 as a score. You must submit scores before contracts or renewals are awarded. Scores are registered in the DoD’s Supplier Performance Risk System (SPRS)

What is the Supplier Performance Risk System?

The SPRS is a web-enabled enterprise application designed to support the DoD in making informed contracting decisions. It gathers performance data from multiple sources to evaluate the risk of a supplier’s ability to meet contract requirements.

The system offers a complete view of a supplier’s past performance, giving procurement and acquisition officials valuable insights.

Although it may seem complicated, using available resources and a NIST Consultant can make it possible to get and stay compliant with DFARS which can be financially rewarding for an organization. Contact us today for more information.

What is CMMC Compliance?

How to make CMMC Affordable?

CORE Vault is a managed CUI Enclave solution designed specifically for small and midsize defense contractors pursuing CMMC and NIST SP 800-171 compliance. Delivered as a managed service (MSP): CORE Vault gives you a secure, pre-configured environment in your own AWS GovCloud account—meaning you retain full control of your data and documentation, even if you end your subscription.

The CORE Vault benefits are shown below. For more information, visit our CORE Vault page.

CORE Vault CUI enclave solution for CMMC

* CORE Vault is a compliant CUI Enclave deployed in your AWS GovCloud Account that is setup for you.

Consulting Support for CMMC Compliance

At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide NIST/CMMC training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).

We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget. Core Business Solutions is a NIST/CMMC registered practitioner organization (RPO).

Our consulting plans include the CORE Security Suite to help you implement CMMC practices and maintain certification over time.

Interested? Get a Free Quote.

Related Standards

We also provide consulting support for companies seeking multiple certifications through an Integrated Management System.

ISO 9001

Quality Management Systems

ISO 27001

Information Security Management Systems

ISO 20000-1

Service Management Systems

ISO 9001

ISO 27001

ISO
20000-1

For more information about compliance, please call our consulting office at 866-354-0300 or contact us online .