The United States Department of Defense (DoD) has created the new Cybersecurity Maturity Model Certification (CMMC) standard that will be required for corporations and entities that want to bid as a contractor, or act as a subcontractor, for DoD projects. This whitepaper is designed to give electrical and mechanical contractor corporate leaders and their IT Directors an overview of the CMMC 2.0 standard. This paper will also answer some of the most frequently asked questions about the CMMC 2.0 and cut through much of the confusion and technical jargon that has surrounded the CMMC since its launch in January 2020 as CMMC 1.0.

Welcome to CMMC 2.0 Intro & FAQ from ELECTRI International on Vimeo.

CMMC 2.0 levels 1 and 2 utilize a Cybersecurity framework known as NIST 800-171. This framework has been an evolving standard in Cybersecurity since the 1990s. It is considered the “gold standard” by many in the Cybersecurity community because it is robust in its identification of what areas of an organization need to be properly secured.

Below is the NIST Special Publication for 800-171 Revision 2 Cybersecurity Framework for reference. Each of the 14 Control Families has a variety of associated practices that equate to 110 Security Controls supporting 320 Objectives for security. In order to achieve Level 2 certification, this is what must be implemented, documented, reviewed and managed,
with supporting evidence:

Click here to access the 14 CMMC Control Family Videos (each family up to level 2) from ELECTRI International on Vimeo. These videos include the 14 Control Families:
– Access Control
– Awareness and Training
– Audit and Accountability
– Configuration Management
– Identification and Authentication
– Incident Response
– Maintenance
– Media Protection
– Personnel Security
– Physical Protection
– Risk Assessment
– Security Assessment
– System and Communications Protection
– System and Information Integrity

Click here to access practical video guides. from ELECTRI International on Vimeo. These guides include topics:
– Implementing Backups
– Key IT and Security Management
– Network and User Policies
– Next Generation Firewalls
– Spam Filter

The documents below are official resources sourced from either the U.S. Department of Defense (DoD) or the National Institute for Standards and Technology (NIST). These documents are foundational to any organization embarking on their CMMC journey. While additional documents exist, these serve as key reference points that IT professionals can readily grasp, even without extensive CMMC or cybersecurity training.

CMMC 2 Level 01 Self Assessment Guide: is the official guidance for CMMC Level 1 assessments and should be used for baseline guidance.
Download Here

CMMC 2 Level 02 Self Assessment Guide: is the official guidance for CMMC Level 2 assessments and should be used for baseline guidance. Note: this Level 2 document also includes all controls for Level 1 as well so if the organization is achieving a Level 2 certification then they will not need the Level 1 document.
Download Here

CMMC v1 to v2 Mapping: is the official controls mapping to convert a CMMC version 1 one project to the newer CMMC version 2 standard.
Download Here

Controlled Unclassified System Security Plan: is the official System Security Plan for CUI handling as required by CMMC. Guidance for this document is in red throughout the body of the text.
Download Here

Dept of Defense Scoring Template for NIST 800-171: is the official scoring guide for organizations to understand what CMMC Level 1 and 2 controls they do and do not have implemented.
Download Here

NIST 800-34r1 Contingency Planning Guidance: is guidance how to properly create a contingency plan for the organization that is CMMC compliant.
Download Here

NIST.SP.800-37r2 Risk Management Framework Guidance: is guidance on CMMC compliant Risk Management.
Download Here

As this is an evolving standard and subject to change, this whitepaper will be updated, if needed, throughout 2024.  Please check back periodically for updates to this document.