Getting Started with CMMC 2.0

Getting Started with CMMC 2.0

The Department of Defense has released an update to its Cybersecurity Maturity Model Certification (CMMC)framework and program.   The goals of CMMC have not changed from the original; namely a more secure supply chain for the Department of Defense where information of all types and security levels is available for those who need it and protected from those who don’t.


If you are even a small cog in the US DoD supply chain, then you probably already know that security of national information is a high priority for the DoD. But you may not know where to start in the process to assure yourself and the DoD that you are doing things you need to do to secure data.


When CMMC was first released it was a 5-level framework with increasingly mature requirements. The new 2.0 version is a 3-level framework.  These 3 levels represent Foundational, Advanced, and Expert cybersecurity processes and procedures. The level of maturity that your organization requires is based on the sensitivity of the information that DoD shares with you.


If your contract with DoD does not include sensitive national security information, then you are likely a foundational level (or level 1).  At this level an annual self-assessment of your processes and procedures as they pertain to the level 1 requirements is the place to start. Using a dedicated tool to track assessment compliance, collect documentation, and produce attestation reports is the first step to your annual submission to the Supplier Performance Risk System (SPRS).


The foundational level is the bare minimum that your organization should be doing.  Cybersecurity should not be a once-a-year activity of dusting off a 3-ring binder and saying you’re compliant.  Even at a level 1 we recommend that you ensure that all your workers are trained each year, and that everyone who manages data is aware of the real business risks of delaying implementation of security policy and procedures.


While many DoD contracts require the level 1 of assessment and attestation. If your contract with DoD requires that you handle information that is critical to US national security, then you are likely to be required to obtain CMMC advanced cyber security certification status. Levels 2  and 3 of assessment and certification will require a 3rd party or federal assessment and certification of your cybersecurity policy and procedures. The use of ReadyCert to prepare for a 3rd party assessment will reduce the time and effort necessary.


The best tool to get started in CMMC 2.0 is ReadyCert. ReadyCert is used by auditors to record their cybersecurity assessment data...why not use the same?



Barbara Cardone

Director of Compliance and Customer Service


Related Posts