CMMC 2.0 Compliance Consultant & Services


Screen Shot 2022-03-14 at 11.04.21 PM

What is CMMC Compliance?

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework most Department of Defense (DoD) contractors will need to implement in the coming years. It’s overseen by the DoD Chief Information Officer (CIO).

CMMC is comprehensive, comprising controls from many regulatory texts. Most of these correspond to protections for the DoD and its stakeholders established in the Defense Federal Acquisition Regulation Supplement (DFARS).

Primary source texts for CMMC have included:

  • FIPS PUB 199
  • NIST SP 800-53
  • NIST SP 800-171
  • NIST SP 800-172

The CMMC was in the early stages of its planned rollout when, in November 2021, the DoD announced major changes to the framework and the implementation of the CMMC program. CMMC 2.0 streamlined the implementation and assessment processes, changing the Maturity Level scheme for all eligible organizations.

Adjustments will be needed for all Defense Industrial Base (DIB) organizations who need to be certified, irrespective of how closely they had followed CMMC guidelines prior to CMMC 2.0. RSI Security has assisted countless DoD contractors’ compliance with DFARS, NIST, CMMC, and other regulations. Our CMMC advisory services will help you navigate the terrain ahead.


Schedule A

What Are CMMC Advisory Services?

CMMC advisory services are designed to help organizations navigate the challenges of scoping, implementation, and assessment to facilitate seamless DoD compliance.

A CMMC 2.0 advisor will help your organization understand the regulatory context and what Level it needs to achieve for current and future CMMC contracts. The advisor will help your organization plan, develop, and/or acquire cybersecurity controls and systems to meet applicable requirements—and implement them efficiently. And, critically, an advisor will help you prepare for and even conduct your official CMMC assessment.

The best CMMC advisors have deep and broad experience with CMMC and NIST implementation. They’ll work with your internal team to develop practices and systems that work with your existing infrastructure. And they’ll empower your decision-makers with complex, real-time data and actionable insights that facilitate compliance at scale.

With respect to assessment, a quality advisor may be needed to perform official CMMC audits at Level 2 (see below). And, for organizations that qualify for self-assessment, an advisor will guide you through every step of the process to ensure swift success.

Download our CMMC 2.0 Datasheet Here


CMMC Levels for 2.0

One of the hallmarks of the CMMC is its tiered approach. Not all CMMC eligible organizations will need to implement the entire framework. For some, a lower Level will suffice. (The requirements and how to verify implementation with assessment will be detailed below.)

Previous versions of the CMMC separated implementation across five Levels. In CMMC 2.0, there will be three.

Here is how they compare to the Levels in the most recent prior version, CMMC v1.02:

CMMC v1.02

Maturity Level 1 – “Basic”
(safeguarding FCI)

Maturity Level 2 – “Intermediate”
(Transition Level)

Maturity Level 3 – “Good”
(protecting CUI)

Maturity Level 4 – “Proactive”
(Transition Level)

Maturity Level 5 – “Advanced”
(CUI and APTs)

CMMC 2.0

CMMC Level 1 – “Foundational”
Parallel to v1.02 Level 1

Transition Level

CMMC Level 2 – “Advanced”
Parallel to v1.02 Level 3

Transition Level

CMMC Level 5 – “Expert”
Parallel to v1.02 Level 5

CMMC 2.0

CMMC Security Requirements for 2.0

CMMC certification Levels and requirements for DoD contractors were clearly established in earlier versions of the CMMC. Which Level an organization needed to reach depending on the kind of information it primarily dealt with and the risk environment surrounding that information.

  • CMMC Level 1 was primarily for FCI
  • CMMC Level 3 focused on protecting CUI
  • CMMC Level 5 targeted APTs to both CUI and FCI

NOTE: These may no longer hold true for CMMC 2.0.

The Levels also had clear Practice thresholds in prior editions, ranging from progressively better “Cyber Hygiene” at CMMC Levels 1–3 and then “proactivity” and “advanced” at CMMC Level 4 and CMMC Level 5, respectively. These drew upon the 171 total CMMC Practices in v1.02, housed in 17 Security Domains and corresponding to 43 Security Capabilities.


Requirements at Levels 1, 2, and 3 in CMMC 2.0 mirror 1, 3, and 5 in v1.02:

  • CMMC 2.0 Level 115 practices
  • CMMC 2.0 Level 2 – 110 Practices, encompassing NIST SP 800-171
  • CMMC 2.0 Level 3 – 110+ Practices, based on NIST SP 800-172

NOTE: Both SP 800-171 and SP 800-172 comprise 14 Requirement Families, which CMMC’s Domains are based on. SP 800-171 has 110 Requirements, and 800-172 has 35. The maximum scope at Level 3 is 145 Practices, but it is not yet finalized.

Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors


CMMC Certification Requirements for 2.0

CMMC certification assessments for CMMC 2.0 differ for each Level. Organizations at Level 1 require annual self-assessment. Most organizations at Level 2 require triennial third-party assessments, but some qualify for self-assessment. Organizations at Level 3 require triennial government-led assessments. All organizations at Level 2 and Level 3 require annual affirmation in addition to their triennial assessments.

RSI Security’s CMMC blog archive will continue to be updated whenever more information is available about CMMC certification DoD requirements.

The most pertinent information is available here:


CMMC 2.0 Certification FAQs

Achieving Cybersecurity Maturity Model Certification (CMMC) means that an eligible company has implemented CMMC controls (i.e., NIST controls) up to the requisite maturity for their Level and confirmed their security program’s functionality through a self, third-party, or governmental audit.

Organizations subject to the CMMC can achieve and maintain certification by scoping out the requirements for their Level, implementing all required systems and controls, and performing a self, third-party, or governmental audit at the appropriate intervals (annual or triennial).

CMMC certification is required for DoD contractors who create, collect, store, transmit, process, or otherwise come into contact with sensitive data in the form of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The DoD will begin requiring CMMC 2.0 in contracts after the rulemaking period is completed; the rulemaking period began in late 2021 and was estimated to take between nine and 24 months. There is no target implementation date, but it is expected sooner rather than later.

The CMMC Level an organization needs to reach will be established on the specific contract it targets. In general, contracts that involve FCI will require Level 1, while contracts that involve CUI will require Level 2 or Level 3, depending on the amount, variety, and sensitivity of data.

CMMC 2.0 is an important update on prior versions because it streamlines controls, making them more accessible. And CMMC certification—in general—is important because it assures DoD contractors have cybersecurity controls in place to protect sensitive information critical to the safety of the DoD—and, by extension, all Americans domestic and abroad. 

No. ISO 27001 is a robust cybersecurity framework, but it is generalized for use across many industries. CMMC and the NIST frameworks it is based upon require specific controls tailored to the particular kinds of data DoD and government-adjacent organizations most need to protect. 

The DoD projects that costs for CMMC 2.0 will be significantly lower than they were for previous versions. CMMC 2.0 certification costs will depend upon the kind of assessment needed. From self audits to third-party or governmental audits, costs will scale upward with each Level.

Again, the DoD projects that costs for CMMC 2.0 will be significantly lower than they were for previous versions. CMMC 2.0 implementation costs will depend primarily on the amount, variety, and complexity of controls implemented—thus, costs will scale upward with each Level.

Third-party CMMC assessments are conducted by Certified Third Party Assessor Organizations (C3PAOs) or Certified CMMC Assessors. These service providers are vetted and listed by the Cyber AB—formerly, the CMMC Accreditation Body (CMMC-AB). 


How RSI Security Helps You Prepare for CMMC 2.0 Compliance

RSI Security is well positioned to assist your organization in future CMMC assessment and certification procedures. We’re equipped to conduct readiness assessments to determine what implementation will likely entail, along with how to prove eligibility for waivers.

The CMMC Accreditation Body (CMMC-AB) was responsible for CMMC auditor certification for prior versions of CMMC. The CMMC-AB has recognized RSI Security as a Registered Provider Organization (RPO), and our staff includes several Registered Practitioners (RP). RSI Security was also in the final stages of becoming a Certified Third Party Assessor Organization (C3PAO), the only CMMC assessors able to verify CMMC implementation prior to the CMMC 2.0 announcement.

RSI Security has been serving NIST clients for over a decade and has the expertise to navigate any changes and updates to the framework as they develop. Reach out to us to schedule a quick call on what CMMC 2.0 means for your business.


Member of 1Government Procurement Alliance


Organizations that trust RSI Security

Screenshot 2023-10-13 142906

Get started on your CMMC compliance journey. Speak with one of our compliance experts today!