Resources
CMMC Resources
Below are a few resources you may find helpful to learn more about CMMC. We will update this page as new content becomes available, so check back from time to time.
What is CMMC?
CMMC is a cybersecurity standards verification program based on NIST SP 800-171. US Department of Defense (DoD) Contractors are required to implement the 110 practices to prove that they have the cybersecurity and operational infrastructure to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The certification comes as a response to the theft of many billions of dollars in intellectual property from contractors working for and with the DoD due to insufficient cybersecurity.
If You Are a US Department of Defense (DoD) Contractor, You Will Need To Comply.
MNS Group helps DoD contractors navigate the complexities of the Cybersecurity Maturity Model Certification (CMMC). Our approach to implementing CMMC compliance is informed by our deep cybersecurity experience and our understanding of how businesses function.
This comprehensive approach is NOT pencil-whipping boxes, but building a resilient infrastructure where DIB businesses thrive, and where CUI and FCI are protected. We collaborate with our clients to build solutions that are tailored to meet business goals and compliance requirements to keep our nation protected together.
Level 1 - Foundational
Applies to all DoD contractors and subcontractors handling Federal Contract Information (FCI) based on the existing 17 controls in FAR 52.204-21
Certification type:
The contractor will be required to conduct a self-assessment annually, with an affirmation from a senior company official that the organization is meeting the requirements (see False Claims Act).
Level 2 - Advanced
Applies to all DoD contractors and subcontractors handling Controlled Unclassified Information (CUI), CTI, or ITAR data and is based on 110 controls in NIST SP 800-171.
Certification type:
For most organizations, a third-party assessment by an authorized CMMC C3PAO
Level 3 - Expert
DoD contractors that handle CUI on DoD high-priority programs will include some of NIST SP 800-171 and is still being developed.
An organization must establish standardized, optimized processes and implement additional enhanced practices to detect and respond to evolving tactics, techniques, and procedures (TTPs) used by advanced persistent threats (APTs).
32 CFR (CMMC Program)
- Downloadable PDF of Federal Register text (this version has page numbers)
- Federal Register home page for CMMC and comments
- Docket Information (the rule agenda)
- Public comments posted regarding rule
- Regulatory Impact Analysis 32 CFR Part 170 (analysis of changes and cost)
- Initial Regulatory Flexibility Analysis 32 CFR (benefits and costs, impact to small business)
Resources for CMMC Compliance
- CMMC Alignment to NIST Standards Breakout Session Presentation | February 2025
This presentation provides an overview of the Cybersecurity Maturity Model Certification (CMMC) Program, its alignment with NIST Special Publications (SP) 800-171 Revision 2 and 800-172, details on scoring methodologies including considerations for Multi-Factor Authentication (MFA) and Federal Information Processing Standards (FIPS), and discusses the transition to NIST SP 800-171 Revision 3. - FedRAMP Authorization and Equivalency | February 2025
This document outlines the requirements for cloud service providers (CSPs) within the Defense Industrial Base (DIB), focusing on the Federal Risk and Authorization Management Program (FedRAMP) authorization process, equivalency requirements set by the Department of Defense (DoD), and recommendations for CSPs to meet these standards. - Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI | February 2025
This document delves into the technical application of CMMC requirements, covering topics such as External Service Providers (ESPs), asset categories, Security Protection Assets (SPA) and Security Protection Data (SPD), and Virtual Desktop Infrastructure (VDI). It provides guidance on how these elements fit into the CMMC framework and their implications for organizations seeking compliance. - Supplier Performance Risk System (SPRS) Overview for DOD Cybersecurity & SAP IT Summit | February 12, 2025
This presentation offers an in-depth overview of the Supplier Performance Risk System (SPRS), detailing its role as the authoritative source for supplier and product performance information within the Department of Defense (DoD). It covers various aspects such as vendor performance metrics, cybersecurity assessments, and compliance requirements. The document also outlines the pathway for contractors to conduct and submit cybersecurity self-assessments, particularly focusing on NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 assessments. - Introduction to the CMMC Enterprise Mission Assurance Support Service (eMASS) | February 12, 2025
This document introduces the CMMC Enterprise Mission Assurance Support Service (eMASS), a tailored version of DoD's eMASS designed to store, track, and report on CMMC Level 2 and Level 3 assessment data. It explains the system's functionalities, including its role as a data repository for CMMC assessments, tracking Plans of Actions and Milestones (POA&Ms), and managing appeals actions. The presentation also details the assessment data flow, user roles, and the process for conducting and reporting assessments within the eMASS framework. -
Pentagon Posts CMMC Presentation Slides on Alignment with NIST Standards, FedRAMP Equivalency | March 18, 2025
This article discusses the Defense Department's release of new presentation slides providing details on the Cybersecurity Maturity Model Certification (CMMC) program. The slides cover topics such as alignment with NIST Special Publication 800-171 Revision 2, scoring methodologies, transition plans to NIST 800-171 Revision 3, and guidance on FedRAMP authorization and equivalency for cloud service providers within the defense industrial base.
Compliance Program Management
Staying CMMC Compliant can be a big undertaking! That’s why MNS Group developed the CMMC Compliance Program Management service: to be a true partner in guiding you through every phase of your compliance journey in a measured, organized way. - Learn More
Frequently Asked Questions
- Here is a list of frequently asked questions that often come up around the topic of CMMC Assessments. - Learn More
Mock CMMC Assessment
A CMMC mock assessment is a simulated evaluation designed to help organizations prepare for the official CMMC certification process. It involves reviewing cybersecurity practices, policies, and systems to identify gaps and vulnerabilities, ensuring alignment with CMMC requirements. The mock assessment includes policy reviews, technical testing, staff interviews, and a gap analysis to provide actionable insights, helping organizations improve their cybersecurity posture before undergoing the formal certification assessment. - Learn More
CMMC Assessment Overview
Visit this page to learn more about the assessment process, key considerations before choosing a C3PAO, and what you can do to prepare for your assessment - Learn More
CMMC Guides (Assessment guides, scoping, etc.)
- CMMC Guidance documents home and comments page
- Notice of Guidance for CMMC
- CMMC Model Overview
- Scoping Guide – CMMC Level 1
- Scoping Guide – CMMC Level 2
- Scoping Guide – CMMC Level 3
- Assessment Guide – CMMC Level 1
- Assessment Guide – CMMC Level 2
- Assessment Guide – CMMC Level 3
- Hashing Guide (used during assessments only)