CMMC 2.0 Guide
“CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” – The Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification
What is CMMC 2.0?
The Department of Defense (DoD) has faced numerous security breaches in recent years that targeted sensitive federal data. This led them to evaluate the security of their systems and network. They found that the current standards were not enough and that there was a significant need for subcontractors to secure their infrastructure in order to effectively protect federal data when serving projects for the DoD.
The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
- FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
- CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.

Free CMMC Consultation
SoundWay has been helping the U.S. Government and its business partners for over a decade. To schedule a free CMMC consultation, please contact us at CMMC@soundwayconsulting.com
CMMC 2.0 Compliance Tools and Resources for DoD Contractors and their Subcontractors
Does your Business Require an Independent CMMC Certification?
Out of approximately 200,000 Government Contractors supporting the United States Government, it is estimated that 80,000 will require an Independent Verification and Validation of the CMMC standard. SoundWay’s CMMC Quiz rapidly identifies if you will require a Certified Third Party Assessor Organization (C3PAO) and what is your current readiness based on a score.
Download CMMC Checklist
The Cybersecurity Maturity Model Certification (CMMC) has recently changed and is subject to future changes. SoundWay has created a checklist for evaluating your organization’s readiness. This list also includes commonly asked questions about CMMC with answers at no charge.
Download Personnel Security Rubric
Download SoundWay’s Personnel Security Guidance Rubric; Assistance for CMMC Compliance. Our Personnel Security Guidance Rubric is a one-of-a-kind approach for objectively determining how an employee’s background may impact their employment and your business.
DFARS vs. CMMC
Contract language has and will have in the future, specifications pertaining to Defense Federal Acquisition Regulations Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC). It is important to note these are NOT the same requirement but have similar objectives. To learn more, download our fact sheet.
CMMC Compliance Levels
With the implementation of CMMC 2.0, The Department of Defense (DoD) has streamlined the CMMC compliance program by classifying requirements into three levels: foundational, advanced, and expert.
NIST SP:800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”
While Special Publication has been around for several years, it is now in its second version and Version 3 is anticipated for 2023. SoundWay has consolidated the security documents in one page. To learn more about this guidance document as well as the “Assessing Security Requirements for CUI” (800-171A), the CMMC Assessors Guide, and CMMC Scoping Guide, please click the “Learn More” button.
Which CMMC Maturity Level (ML) is right for your business ?
The Cybersecurity Maturity Model Certification (CMMC) version 2.0 specifies three levels of maturity. Based on your businesses level of involvement with Federal contracts.
Who is required to be CMMC Compliant?
Any business or organization seeking to work within the defense contractor supply chain is required to meet the rigorous standards of the Cybersecurity Maturity Model Certification (CMMC).
Potential Penalties for Non-compliance?
Organizations that do not comply with CMMC standards may be subject to massive penalties and ineligible to bid on government contracts. Additionally, contractors will not be allowed to bid on DoD Contracts resulting in lost business.
Cybersecurity Maturity Model Certification (CMMC) News and Information
In the Land of CMMC When Does Level 1 Require Level 2?
Level 1 – More Problematic than You may Think As we rapidly conclude 2022, that would indicate that 2023 is about to commence. So what is so special about 2023? If you take a walk with me back to late 2021, when the Cybersecurity Maturity Model Certification (CMMC)...
State of the GovCon Union
Preamble My fellow Americans … for the 18th year, October has been designated National Cybersecurity Awareness Month. In that time, we have seen exceptional innovation in technologies which have allowed us to create next-generation aircraft and offensive platforms...
CMMC 2.0 For Home Based Businesses
Requirements for Home Based Government Contractors Ever since the Cybersecurity Maturity Model Certification (CMMC) initiated back in 2019, there has been significant “spirited debates” on what do small business owners who operate home based businesses must do....
Incident Response Plan – Emergency Access
With cyberattacks being more pervasive and ransomware at the forefront of the news, ensuring continuity of operations is critical. Your organization’s ability to ensure continuity is dependent on your incident response capabilities. In this short video, you will learn...
Phishing campaigns target corporate emails. True, but they also target your personal emails and phones.
The past few months have been quite challenging in terms of ransomware. The United States had a pipeline completely shut down for several days, an international meat distribution point caused beef and chicken prices to skyrocket, and most recently Kaseya – who...
Incident Response Plan Test Think You’re Ready? I did……..
Conducting a test of one’s incident response plan is required under both the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information” (NIST SP:800-171) Section 3.6.3 and the Cybersecurity Maturity...
Protect CUI with Cybersecurity Best Practices
Understand How to Achieve CMMC Compliance When Handling CUI In 2019 The Office of Under Secretary of Defense Acquisition and Sustainment (OUSD(A&S)) announced that the Defense Industrial Base (DIB) will have to comply with the new Cybersecurity Maturity Model...
Safeguarding CUI Is Critical Part of CMMC Framework
Protecting CUI with CMMC Framework The National Archives states, “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies...
CMMC and Cyber Self-Attestation
Cybersecurity Maturity Model Certification (CMMC) ensures minimum protections are met towards the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Learn more about what these two data types are and how you can begin protecting them for CMMC compliance.