The United States Department of Defense (DoD) has created the new Cybersecurity Maturity Model Certification (CMMC) standard that will be required for corporations and entities that want to bid as a contractor, or act as a subcontractor, for DoD projects. This whitepaper is designed to give electrical and mechanical contractor corporate leaders and their IT Directors an overview of the CMMC 2.0 standard. This paper will also answer some of the most frequently asked questions about the CMMC 2.0 and cut through much of the confusion and technical jargon that has surrounded the CMMC since its launch in January 2020 as CMMC 1.0.

Welcome to CMMC 2.0 Intro & FAQ from ELECTRI International on Vimeo.

CMMC 2.0 levels 1 and 2 utilize a Cybersecurity framework known as NIST 800-171. This framework has been an evolving standard in Cybersecurity since the 1990s. It is considered the “gold standard” by many in the Cybersecurity community because it is robust in its identification of what areas of an organization need to be properly secured.

Below is the NIST Special Publication for 800-171 Revision 2 Cybersecurity Framework for reference. Each of the 14 Control Families has a variety of associated practices that equate to 110 Security Controls supporting 320 Objectives for security. In order to achieve Level 2 certification, this is what must be implemented, documented, reviewed and managed,
with supporting evidence:

Click here to access the 14 CMMC Control Family Videos (each family up to level 2) from ELECTRI International. These videos include the 14 Control Families:
– Access Control
– Awareness and Training
– Audit and Accountability
– Configuration Management
– Identification and Authentication
– Incident Response
– Maintenance
– Media Protection
– Personnel Security
– Physical Protection
– Risk Assessment
– Security Assessment
– System and Communications Protection
– System and Information Integrity

Click here to access practical video guides. These guides include topics:
– Implementing Backups
– Key IT and Security Management
– Network and User Policies
– Next Generation Firewalls
– Spam Filter

The documents below are official resources sourced from either the U.S. Department of Defense (DoD) or the National Institute for Standards and Technology (NIST). These documents are foundational to any organization embarking on their CMMC journey. While additional documents exist, these serve as key reference points that IT professionals can readily grasp, even without extensive CMMC or cybersecurity training.

CMMC Assessment Guide for Level 1 v2.13: The official guide to follow when working towards CMMC 2.0 Level 1 adherence and attestation.
Download Here

CMMC Assessment Guide for Level 2 v2.13: The official guide to follow when working towards CMMC 2.0 Level 2 certification.
Download Here

CMMC Assessment Guide for Level 3 v2.13: The official guide to follow when working towards CMMC 2.0 Level 3 certification.
Download Here

CMMC Scoping Guide for Level 1 v2.13: How to determine what Assets an organization has that are in-scope, out-of-scope and considered specialized assets such as Operational Technology and more for CMMC 2.0 Level 1.
Download Here

CMMC Scoping Guide for Level 2 v2.13: How to determine what Assets an organization has that are in-scope, out-of-scope and considered specialized assets such as Operational Technology and more for CMMC 2.0 Level 2.
Download Here

CMMC Scoping Guide for Level 3 v2.13: How to determine what Assets an organization has that are in-scope, out-of-scope and considered specialized assets such as Operational Technology and more for CMMC 2.0 Level 3.
Download Here

CMMC v1 to v2 Mapping: is the official controls mapping to convert a CMMC version 1 one project to the newer CMMC version 2 standard.
Download Here

Controlled Unclassified Information System Security Plan: Template for creating a CMMC compliant System Security Plan.
Download Here

NIST SP 800-171 Rev 3: The official framework for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
Download Here

NIST 800-34r1 Contingency Planning Guidance: is guidance how to properly create a contingency plan for the organization that is CMMC compliant.
Download Here

NIST.SP.800-37r2 Risk Management Framework Guidance: is guidance on CMMC compliant Risk Management.
Download Here

Final Rules for CMMC – Oct 2024: This is the core document with all of the officially submitted rules and regulations for CMMC compliance. This should be going into law in Q1, 2025 (expected).
Download Here

As this is an evolving standard and subject to change, this whitepaper will be updated, if needed, throughout 2024.  Please check back periodically for updates to this document.