Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Why Do You Need to Do CMMC?

  1. Required for DoD Contracts – Any organization that wants to bid on DoD contracts must meet the documented CMMC requirements.
  2. Protect Sensitive Information – Ensure that you follow best cybersecurity practices to safeguard FCI and CUI data from cyber threats.
  3. Competitive Advantage – Companies with the appropriate CMMC certification can access more contracts and demonstrate cybersecurity maturity to partners and customers.
  4. Regulatory Compliance – CMMC aligns with existing regulations like NIST 800-171, helping you meet or exceed broader cybersecurity obligations.
  5. Risk Reduction – Reduces your risk of cyber incidents that could lead to financial loss, reputational damage, or national security threats.

Which CMMC level is right for you?

Federal Contract Information (FCI) is information provided by or generated for the U.S. government under a contract that is not intended for public release. It includes data related to contract performance but does not include publicly available information.

Why Is FCI Important?

  1. CMMC Compliance – If your company is limited to FCI, you must comply with CMMC Level 1 security requirements.
  2. Basic Cybersecurity Protections – Organizations must implement 17 basic cybersecurity practices, as defined by FAR 52.204-21, to safeguard FCI from unauthorized access.
  3. Entry Requirement for DoD Contractors – If your company currently contracts with the DoD, you must secure Level One certification in 2025 to maintain existing contracts or bid on new DoD opportunities.

Controlled Unclassified Information (CUI) is government-created or owned information that requires safeguarding or dissemination controls under federal regulations but is not classified.

Why Is CUI Important?

  1. Regulatory Requirement – Organizations handling CUI must comply with security standards like NIST 800-171 and require CMMC Level 2.
  2. National Security & IP Protection – CUI includes sensitive data  and financial records that would potentially pose national security risks, if exposed.
  3. DoD Contracting Requirement – If your company contracts with the  US DoD or is planning to do so,. protecting CUI is mandatory to qualify for contracts.

Examples of CUI

  • Technical drawings and schematics
  • Export-controlled research (ITAR, EAR)
  • Law enforcement reports
  • Critical infrastructure details

What are the requirements of each level?

CMMC 2.0 Levels & Requirements

🔹 Level 1: Foundational

  • Who Needs It? DoD Contractors that handle Federal Contract Information (FCI) but dot not have visibility to Controlled Unclassified Information (CUI).
  • Requirements:
  • 17 security practices from FAR 52.204-21
  • Includes basic cybersecurity hygiene (e.g., using strong passwords, antmalware, and limiting access to contractor systems)
  • Self-assessment and submission required annually

🔹 Level 2: Advanced (Aligned with NIST 800-171)

  • Who Needs It? Contractors with access to  Controlled Unclassified Information (CUI)
  • Requirements:
  • 110 security practices from NIST SP 800-171
  • Includes access controls, encryption, multi-factor authentication (MFA), and incident response
  • Third-party certification required every 3 years for prioritized contracts
  • Self-assessment required annually for non-prioritized contracts

🔹 Level 3: Expert (Aligned with NIST 800-172)

  • Who Needs It? Contractors with access to to CUI critical to national security
  • Requirements:
  • 110+ security practices from NIST SP 800-171 + additional NIST 800-172 controls
  • Focuses on advanced threat detection, zero trust, and resilience against nation-state threats
  • DoD-led government assessment every 3 years

Why Is CMMC Certification Important?

  • Mandatory for DoD Contracts – Determines if a company is capable of bidding and fulfilling contracts.
  • Protects National Security – Enhances cybersecurity resilience in the DoD supply chain.
  • Competitive Advantage – Timely Certification strengthens reputation within the prime contractors and government agency ecosystem[RP1] .

What does AuditIQ offer?

A CMMC SaaS based Compliance Platform designed to help DoD contractors achieve CMMC Level 1 compliance and prepare for Level 2 certification.

🔹 Description

“AuditIQ provides a all-in-one SaaS platform that streamlines CMMC Level 1 compliance and provides readiness assessments for Level 2. Designed for DoD contractors, it automates security controls, generates compliance reports, and guides users through self-assessments—enabling fast, efficient Level One certification and Level Two visibility all while substantially reducing compliance costs and risks.”

🔹 Key Features

Automated CMMC Level 1 Compliance – Implements and tracks all 17 FAR 52.204-21 controls
Pretest & Readiness for Level 2 – Simulated assessments based on NIST 800-171 to identify gaps
Policy & Procedure Templates – Pre-built documentation for easy compliance
User-Friendly Compliance Dashboard – Real-time insights on security posture and audit readiness
Guided Self-Assessment – Step-by-step checklist for Level 1 certification and submission
Security Best Practices & Training – Enables compliance awareness for employees
Third-Party Audit Preparation – Helps businesses understand what to expect for Level 2 certification

      Stores artifacts for future certification requirements[RP2] 

🔹 Who It’s For?

  • Small and mid-sized defense contractors requiring a cost-effective mechanism for  CMMC Level 1 certification
  • Companies preparing for CMMC Level 2 audits wishing to  identify compliance gaps before formal assessment
  • IT & security teams managing multiple compliance frameworks and seeking automation

Common CMMC Terminology explained

What Is an SPRS Score?

The SPRS Score (Supplier Performance Risk System Score) is a numerical score ranging from -203 to 110 that measures a defense contractor’s compliance with NIST SP 800-171, which is required for CMMC Level 2 and handling Controlled Unclassified Information (CUI).

Why Is the SPRS Score Important?

Mandatory for DoD Contracts – Contractors handling CUI must submit an SPRS score before bidding on DoD contracts.
Measures Cybersecurity Compliance – Based on 110 security controls from NIST SP 800-171.
Risk-Based Assessment – The higher the score, the stronger your security posture.
Self-Assessment Required – Contractors must calculate their score and submit it to the DoD’s SPRS system.

How Is the SPRS Score Calculated?

  • Start at 110 points
  • Subtract points for each missing control:
  • -5 points for critical security gaps (e.g., no MFA, no encryption)
  • -3 or -1 points for less critical gaps
  • No partial credit – A control must be fully implemented to count.

How to Improve an SPRS Score?

  1. Implement missing NIST 800-171 controls
  2. Document System Security Plan (SSP) & Plan of Action and Milestones (POA&M)
  3. Regularly assess and update cybersecurity measures

What Is a POA&M?

A POA&M (Plan of Action and Milestones) is a document that outlines the steps an organization will take to correct cybersecurity deficiencies and achieve full compliance with security requirements, such as NIST SP 800-171 for CMMC Level 2.

Why Is a POA&M Important?

Required for DoD Contracts – DoD contractors must submit a SPRS score and document any security gaps in a POA&M.
Tracks Remediation Efforts – Clearly defines missing security controls and how they will be addressed.
Improves Compliance – Helps organizations prioritize security fixes and demonstrate progress.
Mitigates Risk – Ensures that cybersecurity weaknesses are systematically corrected over time.

What’s Included in a POA&M?

  1. Deficiency Description – The missing or incomplete security control.
  2. Planned Actions – Steps to remediate the issue.
  3. Resources Required – Personnel, budget, or tools needed.
  4. Milestones & Deadlines – Target dates for completion.
  5. Status Updates – Tracking progress toward remediation.

POA&M in CMMC & NIST Compliance

  • CMMC Level 1 – POA&M is not allowed (all controls must be implemented).
  • CMMC Level 2Limited POA&M use for non-critical controls; must be resolved within 180 days.
  • CMMC Level 3 – POA&Ms must be actively tracked with stronger enforcement.

Would you like help preparing for CMMC certification or incorporating it into your consulting offering?

 [RP1]Everything from here and above was taken directly from the Government website.  I am ok if we modify some components but by changing some of the words are we changing it too much.

For example adding certification removing 2.0?

Just want to get your thoughts.

 [RP2]Artifacts are only saved if the subscription is active – do we want to add that?s for your content. Have fun!