Resources

Helpful Resources

Below are a few resources you may find helpful. We will update this page as new content becomes available, so check back from time to time.

Blog
Whitepapers
CMMC Information
CMMC Resources

What is CMMC?

CMMC is a cybersecurity standards verification program based on NIST SP 800-171. US Department of Defense (DoD) Contractors are required to implement the 110 practices to prove that they have the cybersecurity and operational infrastructure to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The certification comes as a response to the theft of many billions of dollars in intellectual property from contractors working for and with the DoD due to insufficient cybersecurity.

If You Are a US Department of Defense (DoD) Contractor, You Will Need To Comply.

MNS Group helps DoD contractors navigate the complexities of the Cybersecurity Maturity Model Certification (CMMC).  Our approach to implementing CMMC compliance is informed by our deep cybersecurity experience and our understanding of how businesses function.

This comprehensive approach is NOT pencil-whipping boxes, but building a resilient infrastructure where DIB businesses thrive, and where CUI and FCI are protected. We collaborate with our clients to build solutions that are tailored to meet business goals and compliance requirements to keep our nation protected together.

Level 1

Foundational

Applies to all DoD contractors and subcontractors handling Federal Contract Information (FCI) based on the existing 17 controls in FAR 52.204-21

Certification type:

The contractor will be required to conduct a self-assessment annually, with an affirmation from a senior company official that the organization is meeting the requirements (see False Claims Act).

Level 2

Advanced

Applies to all DoD contractors and subcontractors handling Controlled Unclassified Information (CUI), CTI, or ITAR data and is based on 110 controls in NIST SP 800-171.

Certification type:

For most organizations, a third-party assessment by an authorized CMMC C3PAO

Level 3

Expert

DoD contractors that handle CUI on DoD high-priority programs will include some of NIST SP 800-171 and is still being developed.

CMMC Resources

Key CMMC Terms to Know

CMMC Custom terms

CMMC Documents

CMMC Alignment to NIST Standards Breakout Session Presentation | February 2025
This presentation provides an overview of the Cybersecurity Maturity Model Certification (CMMC) Program, its alignment with NIST Special Publications (SP) 800-171 Revision 2 and 800-172, details on scoring methodologies including considerations for Multi-Factor Authentication (MFA) and Federal Information Processing Standards (FIPS), and discusses the transition to NIST SP 800-171 Revision 3.

FedRAMP Authorization and Equivalency | February 2025
This document outlines the requirements for cloud service providers (CSPs) within the Defense Industrial Base (DIB), focusing on the Federal Risk and Authorization Management Program (FedRAMP) authorization process, equivalency requirements set by the Department of Defense (DoD), and recommendations for CSPs to meet these standards.

Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI | February 2025
This document delves into the technical application of CMMC requirements, covering topics such as External Service Providers (ESPs), asset categories, Security Protection Assets (SPA) and Security Protection Data (SPD), and Virtual Desktop Infrastructure (VDI). It provides guidance on how these elements fit into the CMMC framework and their implications for organizations seeking compliance.

Supplier Performance Risk System (SPRS) Overview for DOD Cybersecurity & SAP IT Summit | February 12, 2025
This presentation offers an in-depth overview of the Supplier Performance Risk System (SPRS), detailing its role as the authoritative source for supplier and product performance information within the Department of Defense (DoD). It covers various aspects such as vendor performance metrics, cybersecurity assessments, and compliance requirements. The document also outlines the pathway for contractors to conduct and submit cybersecurity self-assessments, particularly focusing on NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 assessments.

Introduction to the CMMC Enterprise Mission Assurance Support Service (eMASS) | February 12, 2025
This document introduces the CMMC Enterprise Mission Assurance Support Service (eMASS), a tailored version of DoD's eMASS designed to store, track, and report on CMMC Level 2 and Level 3 assessment data. It explains the system's functionalities, including its role as a data repository for CMMC assessments, tracking Plans of Actions and Milestones (POA&Ms), and managing appeals actions. The presentation also details the assessment data flow, user roles, and the process for conducting and reporting assessments within the eMASS framework.

Pentagon Posts CMMC Presentation Slides on Alignment with NIST Standards, FedRAMP Equivalency | March 18, 2025
This article discusses the Defense Department's release of new presentation slides providing details on the Cybersecurity Maturity Model Certification (CMMC) program. The slides cover topics such as alignment with NIST Special Publication 800-171 Revision 2, scoring methodologies, transition plans to NIST 800-171 Revision 3, and guidance on FedRAMP authorization and equivalency for cloud service providers within the defense industrial base.