NIST / CMMC
What is NIST / CMMC?
CMMC (Cybersecurity Maturity Model Certification) v2.0 was revealed in November 2021. CMMC focuses on the security and resiliency of the DIB according to the OUSD (A&S) and the DoD. The official CMMC rollout will occur over several years to encompass all contracts and suppliers. In the meantime, contractors must conduct a self-assessment of their NIST SP 800-171 compliance and submit the results through the Supplier Performance Risk System (“SPRS”). DoD contractors should start preparing now for CMMC to keep their contracts in the future.

The Structure of CMMC
CMMC measures cybersecurity at 3 levels, from Foundational to Expert. Businesses who only handle Federal Contract Information (FCI) will require Level 1. Businesses who handle Controlled Unclassified Information (CUI) will require Level 2. Level 3 exists to protect highly sensitive CUI and will be required by few contractors.
Level 1 (Foundational)
17 Practices
- For contractors who handle CUI
- Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
- Requires annual self-assessment submitted to Supplier Performance Risk System (SPRS) and affirmed by company leadership.
Level 2 (Advanced)
72 Practices
- For contractors who handle CUI
- Comply with the FAR
- 110 practices from NIST SP 800-171
- Lower-priority acquisitions will require annual self-assessment submitted to SPRS and affirmed by company leadership.
- Higher-priority acquisitions will require a third-party assessment every three years.
Level 3 (Expert)
130 Practices
- For contractors who handle highly sensistive CUI
- Comply with the FAR
- 110+ practices from NIST SP 800-171/172
- Requires government assessment every three years.
Source: CMMC Model v2.0 Approved for Public Release
Level 1
Foundational
- Comply with the FAR
- 17 practices from NIST SP 800-171
- Annual SPRS self-assessment affirmed by company leadership.
Level 2
Advanced
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171r1
- Annual self-assessment to SPRS with leadership affirmation ( lower-priority acquisitions) or triennial third-party assessement (higher-priority acquisitions).
Level 3
Expert
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171 and a subset from NIST SP 800-172
- Requires assessment by government every three years
Source: CMMC Model v2.0 Approved for Public Release
Consulting Support for CMMC Compliance
Core Business Solutions is a CMMC Registered Provider Organization with several Registered Practitioners on staff. That means we’re officially recognized by the CMMC Accreditation Board as trustworthy implementation experts.
For smaller DoD contractors, CMMC might seem like a complex burden. But we’re here to handle the complicated parts so you can focus on your business.


At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).
We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget.
Our consulting plans also include the CORE Security Suite to help you implement CMMC practices and maintain certification going forward.
Interested? Get a Free Quote.
Related Standards
We also provide consulting support for companies seeking multiple certifications through an Integrated Management System.
ISO 9001
Quality Management Systems
ISO 27001
Information Security Management Systems
ISO 20000-1
Service Management Systems
ISO 9001
ISO 27001
ISO
20000-1
For more information about compliance, please call our consulting office at 866-354-0300 or contact us online.