Cybersecurity Maturity Model Certification Frequently Asked Questions

CMMC assessments of your organization’s cybersecurity practices are conducted by an accredited C3PAO. These independent, third-party assessments are designed to evaluate your compliance with the CMMC framework and ensure that your cybersecurity measures meet the required standards. CMMC 2.0 includes three levels:

• CMMC Level 1 (Foundational): Focuses on basic cybersecurity hygiene and applies to all organizations in the DIB.
• CMMC Level 2 (Advanced): Builds on Level 1 by adding more rigorous cybersecurity measures to protect CUI. Most organizations at this level will require a CMMC Level 2 certification from a C3PAO every three years. However, if the CUI is not deemed critical to national security, some contracts (approximately 5%) may only require a Level 1 self-assessment with attestation.
• CMMC Level 3 (Expert): Expands upon Level 2 by introducing additional cybersecurity controls. Level 3 represents the highest degree of cybersecurity maturity, protecting CUI from sophisticated threats.

1. What is CMMC Level 2, and how does it differ from Level 1?
   CMMC Level 2 is intended for organizations that process, store and transmit Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements from NIST SP 800-171. In contrast, Level 1 only includes 17 basic safeguarding requirements for Federal Contract Information (FCI).
2. Do I need a third-party assessment to achieve CMMC Level 2?
   Yes, most organizations seeking Level 2 certification must undergo a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). However, some contracts may only require a CMMC Level 2 self-assessment with affirmation. The Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self).
3. How long does the CMMC Level 2 certification process take?
   The duration can vary depending on the scope of the environment, type of implementation, number of physical locations and amount physical controlled unclassified information (CUI). Typically, the assessment will cover a three-to-six-week time period. This includes the pre-assessment, assessing conformity of the security requirements and completing and reporting the assessment results. There is usually one week dedicated to interviews during the assessment of conformity.
4. What are the key steps to prepare for a CMMC Level 2 assessment?
   Key steps include identifying the scope and boundaries, conducting a gap analysis against NIST SP 800-171, documenting a system security plan (SSP) performing a self-assessment. It is recommended that your chosen C3PAO is engaged to perform a level 2 mock assessment several months prior to the Level 2 Certification assessment.
5. How long is the CMMC Level 2 certification valid?
   Once granted, CMMC Level 2 certification is valid for three years, with annual affirmations required to ensure continued compliance.
6. What kind of documentation is required for CMMC Level 2 compliance?
   You’ll need comprehensive documentation, including a System Security Plan (SSP), network diagrams, asset inventories, controlled unclassified information (CUI) data flow diagram, self-assessment with Met/Not Met and explanation for all 320 security requirements, policies, procedures, and supporting evidence of implementation of the security requirements.
7. Who needs to be CMMC Level 2 certified?
   Any contractor or subcontractor in the Defense Industrial Base that processes, stores, or transmits Controlled Unclassified Information (CUI) will typically need to meet CMMC Level 2 requirements. The DoD contract will specify the CUI and the CMMC compliance requirements.
8. What is the role of a C3PAO in the CMMC Level 2 process?
   A CMMC Third-Party Assessment Organization (C3PAO) is an authorized assessor that assesses your organization’s CMMC Level 2 implementation and verifies whether you meet the CMMC Level 2 requirements before issuing a final or conditional CMMC Level 2 certification.
9. Can we use cloud services and still be CMMC Level 2 compliant?
   Yes, but the cloud service provider (CSP) must also meet FedRAMP Moderate (or equivalent) requirements if they process, store, or transmit controlled unclassified information (CUI). If they process store or transmit security protection data (SPD) without CUI and are in scope for the assessment, they are assessed as a security protection asset.
10. What happens if we fail the CMMC Level 2 assessment?
    If your organization fails, you will receive a report of Met, Not Met, or N/A for all 320 security requirements. If a security requirement is Not Met, the report will include a clear explanation of why the security requirement was Not Met. You will be required to engage a C3PAO and go through the entire CMMC Level 2 Certification assessment process again. M&A recommends that you engage your selected C3PAO to perform a Mock Assessment of selected control objectives as part of preparation for the Level 2 Certification Assessment.
11. Can a C3PAO help my organization prepare for a CMMC assessment?
    C3PAOs are forbidden from consulting on CMMC implementation and conducting the CMMC assessment for the same organization. A C3PAO can consult if they are not doing the assessment. A Registered Practitioner Organization (RPO) should be engaged to assist with CMMC implementation. We also recommend engaging your selected C3PAO to perform a Mock Assessment several months before the scheduled CMMC Level 2 Certification Assessment.