CMMC Executive Summary

What is CMMC?

Man working on laptop showing a map of the world and a security shield CMMC was created to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB) which includes contractors and subcontractors supporting DoD operations.

Cyber theft of intellectual property and sensitive defense information is considered a national security risk, and CMMC enforces verified cybersecurity implementation rather than self-attestation.

CMMC certification is a contract eligibility requirement, not just a compliance framework like ISO 27001:2022.

CMMC Model Overview

CMMC is a 3-tiered model based on the NIST Cybersecurity Standards.

Level	Foundation	Protects	What It Is	Who Needs It
Level 1	FAR 52.204-21	FCI	Basic cyber hygiene	Government contractors
Level 2	NIST SP 800-171	CUI	Protection of CUI	Contractors in the defense industry
Level 3	NIST SP 800-172	Critical/high-value CUI	Advanced threat protection	High-risk programs

CMMC Levels 1 and 2 validate compliance with existing regulations, while Level 3 adds protection against advanced persistent threats (APTs).

What Certification Actually Requires

Define CMMC Assessment Scope
Implement required security controls
Document implementation in a System Security Plan (SSP)
Track gaps in a Plan of Action and Milestones (POA&M)
Pass assessment, (self, C3PAO, or government)
Maintain continuous compliance
Submit results to SPRS annually

Determining Your Required Level

Only FCI -> Level 1
Any CUI -> Level 2 (what most organizations are going to require)
Critical/high value CUI -> Level 3
Level 3 certification requires full Level 2 certification first.

Scoping (for Level 2)

You must determine the CMMC Assessment Boundary before an assessment. How to determine your scope:

Do you have CUI Assets?
– Assets that process/store/transmit CUI

Do you have Security Protection Assets?
– Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope

Do you have Contractor Risk Managed Assets?
– Assets that can, but are not intended to, process/store/transmit CUI because of security policy/procedures/practices in place

Do you have Specialized Assets?
– Assets that can process/store/transmit CUI but are unable to be fully secured (IoT, IIoT, OT, GFE, etc.)

Cloud providers/MSPs/MSSPs must be included in the CMMC scope if they handle CUI.

What’s considered out of scope?

Anything that cannot process, store, or transmit CUI or provide protection for CUI assets.

Controls to Implement (for Level 2)

There are 110 controls across 17 families.

Family Code	Family Name	Number of Controls
AC	Access Control	14
AT	Awareness & Training	2
AU	Audit & Accountability	5
CA	Security Assessment & Monitoring	4
CM	Configuration Management	6
IA	Identification & Authentication	7
IR	Incident Response	3
MA	Maintenance	3
MP	Media Protection	4
PS	Personnel Security	2
PE	Physical Protection	3
PL	Planning	2
RA	Risk Assessment	4
SA	System & Services Acquisition	5
SC	System & Communications Protections	9
SI	System & Information Integrity	7
SR	Supply Chain Risk Management	7

Level 3 adds controls to counter APTs and protect critical programs.

How to get Certified

Level	Assessment Type	Frequency
Level 1	Self-assessment	Annual
Level 2	Self OR C3PAO (depending on the contract)	Every 3 years
Level 3	Government (DIBCAC)	Every 3 years

All levels require annual compliance affirmation.

What Assessors Actually Evaluate

Controls are implemented correctly
Controls operate as intended
Evidence supports implementation
Risk-based decisions are documented

Practical Certification Roadmap

Determine required CMMC level
Define assessment scope and boundary
Inventory systems handling CUI
Build Systems Security Plan (SSP)
Perform gap assessment vs NIST 800-171
Implement required controls based on gap assessment
Build and track POA&M
Conduct readiness assessment
Undergo C3PAO assessment
Maintain continuous compliance

For more information on CMMC or other Information Security Standards, contact PJC.