Resources
Helpful Resources
Below are a few resources you may find helpful. We will update this page as new content becomes available, so check back from time to time.
What is CMMC?
CMMC is a cybersecurity standards verification program based on NIST SP 800-171. US Department of Defense (DoD) Contractors are required to implement the 110 practices to prove that they have the cybersecurity and operational infrastructure to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The certification comes as a response to the theft of many billions of dollars in intellectual property from contractors working for and with the DoD due to insufficient cybersecurity.
If You Are a US Department of Defense (DoD) Contractor, You Will Need To Comply.
MNS Group helps DoD contractors navigate the complexities of the Cybersecurity Maturity Model Certification (CMMC). Our approach to implementing CMMC compliance is informed by our deep cybersecurity experience and our understanding of how businesses function.
This comprehensive approach is NOT pencil-whipping boxes, but building a resilient infrastructure where DIB businesses thrive, and where CUI and FCI are protected. We collaborate with our clients to build solutions that are tailored to meet business goals and compliance requirements to keep our nation protected together.
CMMC Levels
The DoD created a tiered approach through CMMC that outlines the levels of base cybersecurity requirements.
Level 1
Applies to all DoD contractors and subcontractors handling Federal Contract Information (FCI) based on the existing 17 controls in FAR 52.204-21
Certification type:
The contractor will be required to conduct a self-assessment annually, with an affirmation from a senior company official that the organization is meeting the requirements (see False Claims Act).
Level 2
Applies to all DoD contractors and subcontractors handling Controlled Unclassified Information (CUI), CTI, or ITAR data and is based on 110 controls in NIST SP 800-171.
Certification type:
For most organizations, a third-party assessment by an authorized CMMC C3PAO
Level 3
CMMC Resources
32 CFR (CMMC Program)
Downloadable PDF of Federal Register text (this version has page numbers)
Federal Register home page for CMMC and comments
Docket Information (the rule agenda)
Public comments posted regarding rule
Regulatory Impact Analysis 32 CFR Part 170 (analysis of changes and cost)
Initial Regulatory Flexibility Analysis 32 CFR (benefits and costs, impact to small business)
CMMC Guides (Assessment guides, scoping, etc.)
CMMC Guidance documents home and comments page
Assessment Guide – CMMC Level 1
Assessment Guide – CMMC Level 2
Assessment Guide – CMMC Level 3
Hashing Guide (used during assessments only)