The All-in-One CMMC Compliance Checklist You Need

If you plan to conduct contracted work with the Department of Defense in the future, your company must be CMMC compliant. The CMMC compliance initiative was launched by the DoD in 2019 to ensure that sensitive contracted government information is secure. There are multiple levels of CMMC compliance, so not all companies need to be fully certified. However, it is important to know what level of CMMC compliance is necessary for your business. This CMMC compliance checklist will explain all the necessary steps for each level of compliance.

What is CMMC Compliance?

CMMC stands for Cybersecurity Model Maturity Certification. It is a required certification for every small business wishing to work on projects with the Department of Defense. CMMC compliance means a company’s cybersecurity practices meet the necessary requirements to safeguard sensitive government information. More sensitive information requires higher levels of certification.

As of 2021, there are three levels of CCMC compliance. Level 1, the lowest level, demonstrates the contractor’s ability to protect Federal Contract Information (FCI). Next, Level 2 is for contractors who can safeguard Controlled Unclassified Information (CUI). Level 3, the highest level, is for contracts that can safeguard CUI and protect against advanced persistent threats.

CMMC Compliance Requirements

A company’s CMMC compliance requirements will vary depending on what level of certification they are seeking. However, some steps in the process will be essential regardless of the desired CMMC compliance level. When starting out, the most important thing is to determine which level of certification you will need. Level 1 has less strict requirements. Identifying the type of sensitive information you use becomes the simplest way to determine your requirements. FCI typically only requires Level 1 CMMC certification, while CUI requires at least Level 2 CMMC Certification.

After determining which certification level is needed, you can assess your company’s cybersecurity practices. It’s useful to have a third party assess your cybersecurity for potential gaps that will need to be filled. Even Level 1 CMMC compliance requires very strong cybersecurity.

Once you have assessed and optimized your cybersecurity, you may feel ready to begin the official CMMC Compliance process. Here is a helpful CMMC compliance checklist for each CMMC level:

CMMC Level 1 Compliance Checklist

Level 1 CMMC certification often only requires a self-assessment. To meet Level 1 requirements, your company must demonstrate the performance of FAR 52.204-21 controls. These range from data and system access control to identification authorization to physical property protection.

CMMC Level 2 Compliance Checklist

Level 2 CMMC compliance requires all the same checks and controls as Level 1, plus additional documentation of cybersecurity hygiene. NIST SP 800-171 covers dditional Level 2 controls. At Level 2 of CMMC compliance, companies must implement and document cybersecurity practices across several domains. In all, there are 110 practices that must be satisfactorily met for Level 2 compliance. Unlike Level 1, companies will need to pass an official third-party audit to earn Level 2 CMMC compliance. Most companies must hire a Certified Third-Party Assessment Organization (C3PAO) to conduct their CMMC audit.

CMMC Level 3 Compliance Checklist

Level 3 CMMC compliance is rare, as most companies stop at Level 2. Level CMMC compliance requires all steps of Level 1 and Level 2, plus additional steps. Companies seeking Level 3 CMMC compliance must undergo a government-led audit of their cybersecurity practices. In addition to Level 2 controls, Level 3 compliance requires NIST SP 800-172 controls.

Companies that fail their CMMC compliance inspection have 90 days to make corrections and reapply.
If your company is applying for CMMC compliance, MTBW can help. As a CMMC-compliant business ourselves, we can help determine which level of compliance is necessary. MTBW can also assist in CMMC training and testing processes.

Please follow and like us: