Not sure where to start with CMMC?

Let’s chart your course to CMMC success.

CMMC at a Glance

If you’re a defense contractor or subcontractor encountering CMMC for the first time, don’t worry - Hive Systems has all the resources you need to help you understand what your compliance requirements are.

Check out our Hive Live episode below that covers everything you need to know about the CMMC Program, including an overview of each of the three levels and their assessment requirements. If you prefer to read the details, check out the free resources on the right!

How do the different levels of CMMC compare?

Level 1

Level 2

Level 3

Protects

Federal Contract Information (FCI)

Controlled Unclassified Information

Security Controls

 FAR 52.204-21

 NIST 800-171

 NIST 800-171 & NIST 800-172

Assessment Requirements
  • Annual self-assessment
  • Follow CMMCL1 assessment guide
  • Self-assessment or C3PAO assessment every 3 years
  • Determined in contract solicitation
  • Follow CMMCL2 assessment guide
  • Must be CMMC L2 certified with a C3PAO first
  • C3PAO assessment every 3 years followed by DIBCAC assessment
  • Follow NIST 800-172A assessment criteria

In Scope

Assets that process, store, transmit FCI
  • CUI Assets
  • Security Protection Assets
  • CUI Assets
  • Specialized Assets unless they’re physically/logically isolated with no Internet connection
  • Security Protection Assets

Not In Scope
  • Specialized Assets
  • Assets that cannot process, store, transmit FCI
  • Classified Assets
  • Contractor Risk Managed Assets*
  • Specialized Assets**
  • Assets that cannot store, process, transmit CUI
  • Assets that cannot process, store, transmit CUI
  • Assets that are physically or logically separated from CUI assets

POA&Ms

None permitted
  • Permitted on certain controls
  • Must be remediated within 180 days of assessment
  • POA&M closeout assessment required
  • Must score 80%+ to obtain conditional certification

SPRS Inputs
  • Senior official attestation annually
  • CMMC Level
  • Assessment Date & Scope
  • CAGE Codes
  • Compliance results
  • Senior official attestation annually and after every assessment
  • For self-assessments:
  • POA&M usage 
  • Same fields as CMMC L1
  • Senior official attestation annually and after every assessment

Use of Cloud Providers

Must meet CMMCL1

Must be FedRAMP Moderate+ or equivalent*** if it touches CUI

Use of External Service Providers

Must meet CMMCL1

Must have customer responsibility matrix, be thoroughly documented in your SSP, and services/functions they provide will be in your assessment scope

C3PAO Assessment

Not applicable
  • Evidence must be retained for at least 6 years
  • You can contest findings during the assessment and up to 10 days after 

Completed as part of L2 assessment

DIBCAC Assessment

Not applicable

Not applicable
  • May perform checks of L2 requirements
  • If any L2 controls are not met, L3 assessment may be paused or terminated
  • Revocation of L2 certification automatically revokes L3 certification

Additional considerations

3rd Party Assessment is still considered a self-assessment
  • No SSP = No assessment
  • No draft documentation allowed
  • If planning for CMMC L3, L2 scope must encompass L3 scope

Where should I start?

  1. Take advantage of our FREE CMMC Level 2 Self Assessment Tool to get an idea of whether or not you meet the assessment criteria for your environment.

  2. Find you need some support to close your compliance gaps? Learn how our Readiness & Remediation services to see how Hive Systems Defense Solutions can partner with you to achieve CMMC Readiness.

  3. Receive a passing score and think you’re ready for an official assessment? See our C3PAO Assessment page to learn more about our assessment methodology and how we can provide you with a better assessment experience.

Discover more about CMMC with our free materials.

CMMC 101 Guide

Our comprehensive guide to help you understand the history of the Cybersecurity Maturity Model Certification (CMMC) and navigate its requirements in an approachable way.

CMMC Level 2 Self Assessment Tool

Access our FREE CMMC Level 2 Assessment Tool to complete your CMMC Level 2 self assessment. Our free tool will walk you through all the parts of your assessment to obtain your CMMC required SPRS score and identify areas for improvement and gaps prior to engaging a C3PAO.

Ready to take the next step?

Talk to an expert about CMMC, our services, pricing, or anything else.

CONTACT US ABOUT CMMC ❯