Cybersecurity Maturity Model Certification (CMMC)
DFARS Clause 252.204-7012; Safeguarding Covered Defense Information and Cyber Incident Reporting was established to address cybersecurity risks threatening the Defense Industrial Base (DIB) supply chain and U.S. national security. The CMMC assessment framework enforces DFARS 252.204-7012 to avoid or significantly reduce cyber breaches as well as increase security accountability.
CMMC provides the DIB with assurance that CUI (Controlled Unclassified Information) and FCI (Federal Contract Information) shared with the DIB is secure. A CMMC Assessment is used to certify the cyber readiness of contractors doing business with the Department of Defense (DoD). Most DIB Contractors and Higher Educational Institutions will need to comply with CMMC Level 2. Although some may self-attest annually, most organizations must have a CMMC L2 Assessment conducted every three years by an Authorized C3PAO in order to meet DoD requirements.
CMMC Framework Requirements
Level 3: High-Level Protection of CUI Against APTs (Advanced Persistent Threats)
- 134 requirements
- 110 from NIST SP 800-171 r2
- 24 from NIST SP 800-172
- DIBCAC assessment every 3 years
- Annual affirmation
Level 2: Broad Protection of CUI
- 110 requirements aligned with NIST SP 800-171 r2
- C3PAO assessment every 3 years, or
- Self-assessment every 3 years (for select programs only)
- Annual affirmation
Level 1: Basic Safeguarding of FCI
- 15 requirements aligned with FAR 52.204-21
- Annual self-assessment
- Annual affirmation
CMMC Level 1 Assessment
A Basic Cyber Hygiene (15 Practices) Assessment that applies to contractors who process, store, or transmit Federal Contract Information (FCI).
Level 1 focuses on protecting FCI and consists of the security requirements that correspond to the 15 basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause. An annual self-assessment is required at this level. A subset of these practices is also included in a CMMC Level 2 Assessment.
CMMC Level 2 Assessment
An Intermediate Cyber Hygiene (110 Practices) Assessment that applies to contractors who process, store, or transmit FCI, and Controlled Unclassified Information (CUI).
CMMC Level 2 focuses on protecting CUI and incorporates the 110 security requirements specified in NIST SP 800-171 Rev 2. Most DIB Contractors and higher educational institutions will need to comply with CMMC Level 2. Although they self-attest annually, most organizations, in compliance with DFARS 252.204-7021, must have a CMMC L2 Assessment conducted every three years by an Authorized C3PAO.
CMMC Level 3 Assessment
An Advanced Cyber Hygiene (134 Practices) Assessment derived from NIST 800-171 and NIST 800-172 with DoD-approved parameters where applicable, as identified in 32 CFR § 170.14. The assessment is conducted by the DIBCAC. It is expected that few DIB contractors will need this type of assessment.
Why Choose Cask Services?
- Cask passed the DIBCAC High Assessment in June 2021 and the DIBCAC High C3PAO Re-Accreditation Assessment in September 2024, both with perfect SPRS Scores of 110 and no PAO&Ms (Plan of Action & Milestones).
- Cask has a strong history of conducting cybersecurity assessments and providing CMMC-related services. The Cask CMMC Team has completed Joint Surveillance Voluntary/NIST 800-171 Assessments (JSVAs) for three (3) of the top ten (10) Defense Contractors and numerous JSVAs for organizations of various sizes, including large enterprises, mid-sized companies, and small businesses. This experience has provided us with a deep understanding of the unique needs and challenges faced by different organizations.
- Cask is one of the few organizations with a robust CMMC Consulting Team consisting of a CCA, multiple CCPs, Engineers, and SMEs.
Personal Support
Cask’s number one priority is our clients. Working closely with you and your teams, Cask comes to understand your security posture, culture, and business processes.
Our Certified CMMC Assessors and CMMC Certified Professionals work as a team conducting Assessments, Pre-Assessments, and Gap Analysis to evaluate your implementation of the cybersecurity requirements, adherence to the level of compliance with the requirements of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information, Cyber Incident Reporting, implementation of NIST SP 800-171r2 requirements, and DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements.
Through communication, collaboration, and teamwork, we aim to ensure a successful and efficient assessment process.
Expertise
With a SPRS Score of 110 on our DIBCAC High Assessment with no POA&Ms, successful Joint Surveillance Voluntary (JSV) Assessments for Tier 1 Defense Contractors, and numerous CMMC Pre-Assessments, Gap Analyses, and CMMC Consulting efforts, Cask is an expert in helping contractors engaged with the DoD become CMMC prepared and certified.
Cask understands the CMMC 2.0 Model, assessment process, and what it takes to be compliant with the CMMC/NIST 800-171 Security Control requirements.
Experience
Cask has been providing cyber assessments to the DoD for over 20 years with over 90 assessments completed, leveraging the CNSSI 1253 and NIST SP 800- 53 controls, verifying the implementation of applicable Security Technical Implementation Guides (STIGs), on-site inspections, vulnerability scans, and Security Content Automation Protocol (SCAP) scans to ensure the security of our military systems upon deployment or in garrison.
Our staff consists of a CMMC – Certified Assessor, multiple CMMC – Certified Professionals, Engineers, and SMEs who have experience in Cyber and Risk Assessment. Cask has assessed and obtained certification for over 90 systems, including the first USMC cloud-based solution and PaaS and SaaS solutions. Cask had been performing CMMC and NIST 800-171 Gap Analysis, Pre-Assessments, and Mock Assessments since June 2021.
Build Your Competitive Advantage with Cask CMMC Services
For CMMC consulting services and more details regarding a CMMC Pre-Assessment, Gap Analysis, and CMMC Readiness, see our CMMC Readiness Program.
Contact Cask and Let Us Help You Become Assessment Ready!
CMMC FAQs
FCI (Federal Contract Information) vs. CUI (Controlled Unclassified Information)
A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.
A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Examples of CUI include DoD technical drawings and testing results.
CMMC (Cybersecurity Maturity Model Certification) Assessments
A. The DoD will specify the required CMMC level in the solicitation and, if utilized, in any Requests for Information (RFIs).
A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
A. If a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
A. Where required, self-assessments are required on an annual basis. Third-party and government-led assessments, associated with Level 2 and Level 3 programs, are required on a triennial basis.
A. The DoD will only accept CMMC L2 assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.
A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and the complexity of the organization’s network for the certification boundary.
Methodology in Planning and Performance
A. Cask will provide a CMMC Level 2/NIST 800-171A assessment of your organization’s current implementation of the 110 practices. We will review and assess the practices’ current implementations, verifying compliance using the CMMC 2.0 assessment process, which aligns with the NIST 800-171 assessment methodology.
Cybersecurity Standards (NIST SP 800-171 and NIST SP 800-172)
A. Under CMMC 2.0, the “Advanced” level (Level 2) is equivalent to the NIST SP 800-171. The “Expert” level (Level 3), is based on a subset of NIST SP 800-172 requirements.
A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cyber criminals who intend to infiltrate systems to steal national security-related data. However, it does not contain guidance on determining the high value of critical organizational programs or assets.