Call Us For A AreWeAFit Consultation (954) 507-3475

NIST 800-171 DoD Cyber Maturity Model Certification (CMMC)

CMMC DoD Contractors wanting to learn what level of CMMC depends on FCI and CUI. Download our CMMC Ebook to […]

NIST 800-171 DoD Cyber Maturity Model Certification (CMMC)

CMMC DoD Contractors wanting to learn what level of CMMC depends on FCI and CUI. Download our CMMC Ebook to help navigate the CMMC requirements and expectations. We are here to help you obtain certification when needeed.

Since 2017 the DoD has been stuck between a rock and a hard place.  With the vast number of DoD contractors, diverse IT infrastructure, and continuously evolving IT environment the DoD how do you ensure that you are truly secure? Unfortunately, the DoD has been forced to rely on contractors to self-attest, perform POA&Ms, and haven’t had anywhere near enough bandwidth to audit each contractor to make sure they are truly compliant with all 110 requirements of the framework. That changes this year with the implementation of the DoD’s new CMMC requirement.

Basic CMMC Compliance begins with 110

Starting November 30, 2020, all contractors and their subs will need to have a score representing their NIST 800-171 progress ranked from level 1 through level 5 published in a federal database before contract award. Plus, the score needs to be accompanied by the date in which all requirements are being implemented and screenshots showing compliance. This is the first step in a long road to securing our nation’s cyber infrastructure.

Right now, the DoD is using a vendor report card maintained in the Supplier Performance Risk System (SPRS) to determine compliance. This system will provide the DoD a snapshot of the contractor’s IT environment and allow them to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”.

This “assessment” refers to the score generated by performing a review of your NIST 800-171 implementation as documented in your System Security Plan. “The NIST SP 800-171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012.”

One important note before you can begin your CMMC compliance, you absolutely need to have a System Security Plan in place before you perform this assessment. It’s a mandatory requirement in the NIST 800-171, the regulation behind the compliance. In fact, without one, you are immediately deemed non-compliant! “The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4

You don’t want to get caught lying about this. As a representative of the Government you now have the whole False Claims Act thing to deal with. Luckily, if you still need an SSP, GiaSpace can help!

The Levels of CMMC Compliance

There are multiple levels of compliance. For now, the Government is mostly requiring CMMC level 1 for all of their contractors in the Process and Practice realms. However, different or future contracts may require different levels of CMMC compliance. It’s important to remember that in order to reach a specific level of compliance, you need to meet the level for both Process and Practice.

CMMC Levels
Source: Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.0

CMMC Level 1

Processes: Performed
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

 Processes: Managed
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices: Proactive
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs. 

CMMC Level 5

Processes: Optimizing
Level 5 requires an organization to standardize and optimize process implementation across the entire organization.
Practices: Advanced/Proactive
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

It’s important to remember that each level is cumulative. For example, in order to reach CMMC level 3 you must show that you have successfully reached CMMC levels 1 and 2 and it must be reached on both the Practice and Process realms.

You also need to remember that this needs to flow down through all of your subcontractors! Now this doesn’t mean that if you have a CMMC level 5 certification that all of your subcontractors will need to have the same level certification, but it does mean that each of your subcontractors will be required to at least maintain a level 1 certification.

Getting Ready for CMMC

With the new CMMC framework, the DoD is working to level the cyber battlefield and keep ahead of cyberattacks that threaten the effectiveness of the U.S. military. CMMC is fast-tracked to be implemented in 2021 and fully implemented by 2025 across all contracts. We can help you prepare for CMMC compliance! GiaSpace offers comprehensive systems audits to identify gaps in your SSP and bring you one step closer to compliance. Contact us today for a consultation!

GiaSpace Clients Share Their Experiences
Trusted IT Service
Professionals Across South Florida

They are our go to team for product procurement and special projects.

“As the Fox-affiliate TV station for South Florida, we depend heavily on our IT infrastructure to deliver high quality television to our viewers. We have worked with GiaSpace in a variety of IT capacities since 2008, and they have never let us down. They are our go to team for product procurement and special projects.”

Patrick M.
WSVN, Miami

7 Fox

GiaSpace is a fabulous company to do business.

“GiaSpace is a fabulous company to do business. Patrick is extremely knowledgeable and very quick to respond to any issues/concerns/questions. Thank you for your outstanding work.”

Lucila L.
Town of Lauderdale-by-the-Sea,
Fort Lauderdale

Lauderdale by the sea

GiaSpace Team is quick to respond

“The GiaSpace team is quick to respond and has gone above and beyond to resolve our technical issues.”

Carlos U.
Alternative Home Healthcare,
Fort Lauderdale


Customer-Focused IT Support for Worry-Free IT

“Excellent service and communication – great deal of knowledge.”

Rossie C.
ECI Pharmaceuticals,
Fort Lauderdale

ECI Pharmaceuticals

The response was very quick

“The response was very quick and my issue was resolved right away.”

Katherine G.
Medtrust LLC, San Antonio


Helping Organizations In South Florida Is In Our DNA
Only The Best IT Services & IT Support

Tech Support In Fort Lauderdale - Pablo Porta Goes Extra Mile

Awesome Work By Fort Lauderdale IT Company

Pat Bowe Awesome Fort Lauderdale IT Technician

Partners & Certifications

3CX logo
Amazon Webservices
Barracuda primary strapline reversed
Meraki 2016
Dell PartnerDirect
Hp Business Pertner
Lenovo Business Partner
Apple logo
Mesh logo
Microsoft logo
Microsoft Azure
Office 365
Intuit logo
Sophos logo
Threat Locker
Veeam green logo
Webroot logo
Skip to content