processes Controlled Unclassified Information (CUI) for the DoD. You are aware
of the forthcoming DoD mandate to comply with the CMMC standard.
Understands that an
Organization Seeking Certification (OSC), which would be your organization, a
member of the DIB, that processes CUI must meet the requirements of CMMC Level
How do you get
started? What do you need to do to get ready for a CMMC Level 2 Assessment? The
focus of this document is to identify key steps for an OSC to be prepared, to
be ready, and to be successful to achieve CMMC Level 2 Certification.
journey for CMMC readiness for a Level 2 Assessment starts with understanding
all of the core requirements and the official documents provided by the DoD.
This document provides
assessment guidance for conducting CMMC assessments for Level 2. The CMMC
levels and the associated set of practices are cumulative. In order for a DIB
contractor to achieve CMMC Level 2 certification, it must demonstrate
achievement of all Level 1 and Level 2 practices. A CMMC assessment is
the methodology to certify that a contractor is compliant with the CMMC Level 2
standard. Contractors requiring a CMMC Level 2 certification must have a CMMC
Level 2 assessment conducted by CMMC Third-Party Assessor
and Certified Assessor.
CMMC Levels 1 and 2
consist of the security requirements specified in NIST SP 800-171, Protecting
CUI in Nonfederal Systems and Organizations. CMMC Level 1 addresses the
protection of Federal Contract Information (FCI) and encompasses the basic
safeguarding requirements for FCI specified in Federal Acquisition Regulation
(FAR) Clause 52.204-21. CMMC Level 2
addresses the protection of CUI, which has been defined by the National
Archives and Record Administration (NARA).
Validity: 90 days