CMMC 2.0 Guide

“CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” – The Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification

What is CMMC 2.0?

The Department of Defense  (DoD) has faced numerous security breaches in recent years that targeted sensitive federal data.  This led them to evaluate the security of their systems and network. They found that the current standards were not enough and that there was a significant need for subcontractors to secure their infrastructure in order to effectively protect federal data when serving projects for the DoD.

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

  • FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
  • CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.


CMMC Compliance Consulting

Free CMMC Consultation

SoundWay has been helping the U.S. Government and its business partners for over a decade. To schedule a free CMMC consultation, please contact us at

CMMC 2.0 Compliance Tools and Resources for DoD Contractors and their Subcontractors

Does your Business Require an Independent CMMC Certification?

Out of approximately 200,000 Government Contractors supporting the United States Government, it is estimated that 80,000 will require an Independent Verification and Validation of the CMMC standard. SoundWay’s CMMC Quiz rapidly identifies if you will require a Certified Third Party Assessor Organization (C3PAO) and what is your current readiness based on a score.

Download CMMC Checklist


The Cybersecurity Maturity Model Certification (CMMC) has recently changed and is subject to future changes. SoundWay has created a checklist for evaluating your organization’s readiness. This list also includes commonly asked questions about CMMC with answers at no charge.


Download Personnel Security Rubric

Download SoundWay’s Personnel Security Guidance Rubric; Assistance for CMMC Compliance. Our Personnel Security Guidance Rubric is a one-of-a-kind approach for objectively determining how an employee’s background may impact their employment and your business. 



Contract language has and will have in the future, specifications pertaining to Defense Federal Acquisition Regulations Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC). It is important to note these are NOT the same requirement but have similar objectives. To learn more, download our fact sheet.

CMMC Compliance Levels

With the implementation of CMMC 2.0, The Department of Defense (DoD) has streamlined the CMMC compliance program by classifying requirements into three levels: foundational, advanced, and expert. 

NIST SP:800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”

While Special Publication has been around for several years, it is now in its second version and Version 3 is anticipated for 2023. SoundWay has consolidated the security documents in one page. To learn more about this guidance document as well as the “Assessing Security Requirements for CUI” (800-171A),  the CMMC Assessors Guide, and CMMC Scoping Guide, please click the “Learn More” button.

Which CMMC Maturity Level (ML) is right for your business ?

The Cybersecurity Maturity Model Certification (CMMC) version 2.0 specifies three levels of maturity.  Based on your businesses level of involvement with Federal contracts.

Who is required to be CMMC Compliant?

Any business or organization seeking to work within the defense contractor supply chain is required to meet the rigorous standards of the Cybersecurity Maturity Model Certification (CMMC).

Potential Penalties for Non-compliance?

Organizations that do not comply with CMMC standards may be subject to massive penalties and ineligible to bid on government contracts.  Additionally,  contractors will not be allowed to bid on DoD Contracts resulting in lost business. 

Cybersecurity Maturity Model Certification (CMMC) News and Information

CMMC 2.0 For Home Based Businesses

CMMC 2.0 For Home Based Businesses

Requirements for Home Based Government Contractors Ever since the Cybersecurity Maturity Model Certification (CMMC) initiated back in 2019, there has been significant “spirited debates” on what do small business owners who operate home based businesses must do....

read more
Incident Response Plan – Emergency Access

Incident Response Plan – Emergency Access

With cyberattacks being more pervasive and ransomware at the forefront of the news, ensuring continuity of operations is critical. Your organization’s ability to ensure continuity is dependent on your incident response capabilities. In this short video, you will learn...

read more
Protect CUI with Cybersecurity Best Practices

Protect CUI with Cybersecurity Best Practices

Understand How to Achieve CMMC Compliance When Handling CUI In 2019 The Office of Under Secretary of Defense Acquisition and Sustainment (OUSD(A&S)) announced that the Defense Industrial Base (DIB) will have to comply with the new Cybersecurity Maturity Model...

read more
Safeguarding CUI Is Critical Part of CMMC Framework

Safeguarding CUI Is Critical Part of CMMC Framework

Protecting CUI with CMMC Framework The National Archives states, “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies...

read more
CMMC and Cyber Self-Attestation

CMMC and Cyber Self-Attestation

Cybersecurity Maturity Model Certification (CMMC) ensures minimum protections are met towards the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Learn more about what these two data types are and how you can begin protecting them for CMMC compliance.

read more