CMMC Self-Assessment Guide
For the latest information on CMMC 2.0, please click here.
Contracting with the US Department of Defense (DoD) can be lucrative, but it requires contractors and subcontractors to meet many requirements.
Cybersecurity is one of the most important DoD contracting requirements, as it’s now considered part of the foundation of DoD acquisition.
The Cybersecurity Maturity Model Certification (CMMC 2.0) framework is the most recent security requirement, and it applies to any contractor in the Defense Industrial Base (DIB).
The CMMC self-assessment is one of the first steps toward full compliance, which can be especially challenging for contractors new to the DIB sector.
Contractors must achieve “preferred contractor” status to receive consistent work from the DoD.
CMMC compliance is only one of the requirements for obtaining this status, as it demonstrates that a contractor is serious about protecting sensitive information, as defined in the Defense Federal Acquisition Regulation Supplement (DFARS) specifications.
Fortunately, the Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment (A&S) provides CMMC 2.0 self-assessment assessment guides to assist in the CMMC process.
In particular, these guides explain the great difference between a self-assessment and a full compliance assessment, including their scoring methodologies.
Contractors seeking CMMC Certification must also understand the CMMC framework, including its domains, levels, and practices.
Detailed knowledge of these topics is essential for performing the self-assessment, passing a true 3rd party assessment, and obtaining the CMMC accreditation needed for preferred contractor status.
The CMMC consultants at cuick trac™ can help you determine your requirements for achieving CMMC with cuick trac™, the most cost-effective, virtual enclave solution for protecting controlled unclassified information (CUI).
Call us at 612-428-3008 or fill out the online form to schedule a free consultation.
Is there a CMMC self-assessment for CMMC 2.0 compliance?
Self-assessing is always a best practice for contractors needing CMMC compliance — from the supply chain to manufacturing.
Organizations who conduct thorough and periodic self-assessments, will often times find more success with implementing a security program and thwarting cyber-attacks.
A CMMC self-assessment serves to identify gaps between a contractor’s current security posture and what it needs to pass the full assessment by a Certified 3rd Party Assessment Organization (C3PAO).
It also increases the assurance that sensitive information is being adequately protected by the Defense Industrial Base (DIB).
In a shift away from CMMC 1.02, which required all DoD contractors to undergo third-party assessments for CMMC compliance, under the new CMMC 2.0, annual self-assessments are allowed under two specific situations.
- CMMC Level 1 (“Foundational”): This level of compliance does not involve sensitive national security information, and is viewed as an "opportunity to engage its contractors in developing and strengthening their approach to cybersecurity," identifying vulnerabilities, and iterate on how to satisfy Level 1 practices
- A limited subset of programs with CMMC Level 2 requirements: To qualify, the program must not involve CUI critical to national security
According to the Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment (A&S):
A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI.
The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level.
But wait, there's more.
Contractors that qualify for annual self-assessments must be score their assessment against the DoD's clearly articulated cybersecurity standards, and will be required to submit an "annual affirmation from a senior company official" stating the company is meeting requirements.
Lastly, the Department of Defense also intends to require companies to register their self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
CMMC 2.0 self-assessment criteria & scoring systems
When conducting a true CMMC self-assessment, it’s best practice to utilize an assessor/ advisor experienced in working with the DIB and safeguarding the confidentiality of Controlled Unclassified Information (CUI).
Having them as an independent individual or company provides many benefits.
The process of assessing a contractor’s implementation of the CMMC 2.0 framework generally involves the assessor establishing objectives for each cybersecurity practice or security control, which the assessor then tests with appropriate criteria. For example, NIST controls will use NIST protocols.
These tests include interviews with individual workers, an examination of procedures in real-time, and a review of relevant system settings.
Each practice tested receives a finding of Met, Not Met, or Not Applicable.
- A finding of "Met" indicates the contractor met all the requirements for that practice as described by the CMMC framework. The assessor must provide appropriate evidence to support this finding.
- A finding of "Not Met" means the contractor failed to meet at least one of the requirements for the practice as described in the CMMC framework. The assessor must describe the issues resulting in this finding.
- A finding of "Not Applicable" indicates a contractor is not required to implement this practice. The assessor must provide an explanation and documentation supporting this finding.
Contractors should provide accurate findings for all applicable practices in their self-assessment, even when many of those findings are “Not Met.”
This approach ensures that contractors hold themselves accountable for the shortcomings, just as an independent assessor will. Honest assessments help the company improve its security posture so it can pass the official assessment.
The DoD recently release CMMC self-assessment guides that can be downloaded at the links below:
- CMMC Level 1 Assessment Guide (PDF)
- CMMC Level 2 Assessment Guide (PDF)
- CMMC Level 3 Assessment Guide (Not Available)
Who is responsible for full CMMC assessments?
The CMMC Accreditation Body (CMMC-AB) is responsible for authorizing third parties (C3PAOs) to audit and assess contractors and award them the appropriate CMMC certification if warranted.
The CMMC-AB has built an ecosystem of Licensed Training Providers (LTPs), and Licensed Partner Publishers (LPPs) to train and authorize individuals to conduct CMMC certification audits, referred to as Certified CMMC Assessors (CCA’s) and Certified CMMC Professionals (CCPs) to help support the audits.
CCAs will be affiliated with C3PAOs and will be the only authorized parties who can perform the actual CMMC certification audits, once Organizations Seeking Certification (OSCs) are ready to demonstrate and prove their cybersecurity posture is at the required level.
The CMMC-AB also partners with the C3PAOs to list them in the geographic areas they service and match them with contractors needing CMMC. C3PAOs are allowed to work with their clients throughout all stages of the CMMC accreditation process, not just the actual assessment itself.
These steps include both architectural planning and the implementation of practices and controls. Contractors do not have to work with C3PAOs as they prepare for CMMC, as it’s encouraged that they work with experts who they trust, but also have experience providing cybersecurity support to the DIB.
The CMMC-AB must authorize and accredit C3PAOs to conduct CMMC assessments of DoD contractors. This process requires C3PAOs to meet DoD requirements as described in ISO/IEC 17020, which deals with conformity assessment.
This section describes the requirements for organizations that perform various types of inspections, not just CMMC.
However, the CMMC-AB can authorize C3PAOs to conduct CMMC assessments before they have received their formal accreditation. However, C3PAOs must receive accreditation from the CMMC-AB within 27 months after registering for the C3PAO accreditation program.
C3PAOs must meet all DoD requirements to receive this accreditation as described in ISO/IEC 17020.
In addition to receiving authorization or accreditation from the CMMC-AB, C3PAOs must be listed on the CMMC-AB Marketplace website before they can conduct CMMC assessments.
Furthermore, the individual assessors that the C3PAOs use to conduct CMMC assessments must also be authorized or certified by the CMMC-AB.
Organizations in the DIB must select and authorize or accredit C3PAOs listed on the CMMC-AB Marketplace website.
The selected C3PAO and its client must then coordinate their plans for planning and conducting the CMMC assessment as described in a contract between the two parties.
Once the assessor completes the CMMC assessment, the C3PAO provides a report on the results. Assuming the assessment shows no deficiencies, the C3PAO then issues the certificate appropriate to the CMMC level requested by the contractor.
In addition, the C3PAO must submit a copy of its assessment report and the CMMC certificate to the DOD.
CMMC 2.0 maturity levels, focuses & process goals
The CMMC model provides a comprehensive approach to managing risks from different types of threats, starting with basic safeguarding at Level 1 and moving up through broad protection for CUI at Level 2, until we reach expert-level protection against advanced persistent threats (APTs) actors at Level 3.
Contractors seeking DoD contracts must eventually implement the CMMC practices and requirements at the level to which the contractor is aiming to achieve certification, except for the practices it’s exempt from.
Cybersecurity maturity model certification occurs in a succession of three distinct milestones known as Maturity Levels, each of which includes all of the requirements of the level below it.
In addition, each level introduces new requirements and has a focus that may be quite different from that of the previous level.
Each level also has its own Process Maturity goal indicating the extent to which the organization has institutionalized required security practices across all of its departments and individual personnel.
Process Maturity is a comprehensive measure, so it can complicate the assignment of findings from the assessment.
The following list describes the focuses and goals of each Maturity Level:
Level 1: Foundational
CMMC 2.0 Level 1 establishes a security foundation (17 practices) for the higher levels of the model and must be completed by all certified organizations.
This level of compliance is required for companies that handle FCI that isn’t critical to national security, as described in Federal Acquisition Regulation (FAR) clause 52.204-21, "Basic Safeguarding of Covered Contractor Information."
Level 1 is intended to protect contractor information systems and limit access to authorized users, so it's required for any contractor that provides products that aren't Commercial Off the Shelf (COTS).
CMMC Level 1 requires annual self-assessments.
Level 2: Advanced
CMMC 2.0 Level 2 provides advanced cybersecurity requirements for organizations that handle prioritized and non-prioritized acquisitions that handle CUI, rather than just FCI and is most comparable to the previous version of CMMC 1.02, Level 3.
Level 2 mirrors NIST SP 800-171, with 110 security practices developed by the National Institute of Technology and Standards (NIST) to protect CUI.
This CMMC level has two thresholds for conducting assessments and the frequency at which they need to be completed, depending on the type of CUI they handle.
Companies that handle prioritized acquisitions with CUI data critical to national security will require Third-party assessments (C3PAOs) every three years.
Companies that handle non-prioritized acquisitions with CUI data not critical to national security will only require an annual self-assessment.
Level 3: Expert
The main focus of CMMC 2.0 Level 3 is to provide robust, optimized cybersecurity standards to reduce risk from Advanced Persistent Threats (APTs) for members of the Defense Industrial Base that handle data that is critical to national security.
Until rulemaking occurs (between July 2022 to December 2023), it’s difficult to know what practices will be included in CMMC Level 3, however, the DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls and a subset of NIST SP 800-172 controls.
If your long-term plan is to achieve this level of security and compliance we would recommend treating NIST SP 800-172 as the complete framework for implementation.
DoD assessment methodology: Understanding domains, capabilities & practices
The CMMC 2.0 framework consists of 17 security domains, which are generally equivalent to the NIST 800-171’s Requirement Families.
These domains include 43 capabilities covering 171 practices, resulting in an interlocking matrix of domains, capabilities, and practices.
The 17 security domains in CMMC are as follows:
- Access Control (AC) – Four Capabilities and 26 Practices that limit access to sensitive information.
- Asset Management (AM) – Two Capabilities and two Practices that identify and monitor assets.
- Audit and Accountability (AU) – Four Capabilities and 14 Practices to conduct audits that ensure accountability.
- Awareness and Training (AT) – Two Capabilities and five Practices to conduct training programs that ensure staff awareness.
- Configuration Management (CM) – Two Capabilities and 11 Practices that replace vendor-supplied security settings with more robust solutions.
- Identification and Authentication (IA) – One Capability and 11 Practices focus to develop an identity and access management program that optimizes access control.
- Incident Response (IR) – Five Capabilities and 13 Practices that respond to all cybersecurity incidents in real-time.
- Maintenance (MA) – One Capability and six Practices for performing maintenance on hardware and software.
- Media Protection (MP) – Four Capabilities and eight Practices that protect storage media and delete sensitive data from them.
- Personnel Security (PS) – Two Capabilities and two Practices related to staff.
- Physical Protection (PE) – One Capability and six Practices for the physical protection of devices and workspaces that handle sensitive data.
- Recovery (RE) – Two Capabilities and four Practices to mitigate the damage from attacks and recover data.
- Risk Management (RM) – Three Capabilities and 12 Practices to measure the efficacy of risk mitigation strategies.
- Security Assessment (CA) – Three Capabilities and eight Practices to perform regular threat assessments.
- Situational Awareness (SA) – One Capability and three Practices for awareness thresholds specific to the company.
- Systems and Communications Protection (SC) – Two Capabilities and 27 Practices that protect communication points in all networks.
- System and Information Integrity (SI) – Four Capabilities and 13 Practices that remove known flaws from security architecture.
Implementation of the 171 practices described above is a challenging process for contractors to do by themselves unless they have their own well-funded IT department.
As is the case with CMMC self-assessments, a third party like cuick trac™ can help ensure these practices are implemented correctly.
How can the CMMC self-assessment advisors at cuick trac™ help?
Cuick trac™’s team of cybersecurity experts & advisors, help contractors understand what they need today, while also helping interpret and strategically plan for the future of CMMC 2.0.
Some contractors need a guided self-assessment to get started, while more mature organizations need help reviewing their remediation efforts, in order to plan for CMMC readiness.
Regardless of your situation, cuick trac™ can help you get on the right path to CMMC compliance.
Speak with a CMMC consultant at cuick track today
It’s critical for contractors to understand that the CMMC self-assessment is only a small step in the process of obtaining the CMMC level your contract requires.
Although CMMC doesn’t require a self-assessment, DFARS 252.204-7019 and 7020 do, which is based on the DoD’s Assessment Methodology and NIST SP 800-171.
A basic self-assessment tool can be extremely useful for identifying the controls you need to implement before a C3PAO performs the full assessment.
Our suite of CMMC-related services includes cuick trac™, advisory and guidance, and strategic planning for managed IT and security solutions.
Cuick trac™’s advisors can also help you implement a plan of action and perform assessments that meet many other security standards in addition to CMMC.
We also offer free consultations to help you implement the CMMC controls needed to avoid fines or the loss of contract opportunities.
Contact us or call 612-428-3008 today to schedule your consultation.
Get a 30-minute demo from a cuick trac™ product expert
You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.