Certifications Under CMMC
Can you self-certify CMMC? The answer is yes, but only if you aim to achieve CMMC Level 1. In all other cases, self-certification is not possible.
CMMC comprises three progressive levels that mandate an increasing number of
cybersecurity practices as follows:
- Level 3 (Expert): 110+ practices
- Level 2 (Advanced): 110 practices
- Level 1 (Foundational): 17 practices
The certification process varies by level:
- Level 1: Annual self-assessments
- Level 2: Triennial third-party assessments (for critical national security info) and annual self-assessments (for select programs)
- Level 3: Triennial government-led assessments
CMMC and Self-Certification
You can self-certify compliance with the Cybersecurity Maturity Model Certification, but only for CMMC Level 1.
If you aim to achieve CMMC Level 2 or Level 3, you cannot self-certify.
Remember: CMMC Level 1 is required if you handle Federal Contract Information (FCI).
If you handle Controlled Unclassified Information (CUI), or both CUI and FCI,
you must achieve CMMC Level 2 or 3.
Contractors seeking to self-certify Level 1 can refer to the official
CMMC Level 1 Scoping Guidance and the
CMMC Level 1 Self-Assessment Guide.
Achieving CMMC Level 2 Compliance
For defense contractors, aiming for CMMC Level 2 compliance is a smart move for at least two reasons:
- It makes you eligible for more contracts.
- CMMC Level 2 is aligned with NIST SP 800-171, which you may already be implementing.
To learn more, see our previous post:
What CMMC Level Do I Need?
CMMC Level 2 requires third-party assessments conducted by certified Third-Party Assessment Organizations (C3PAOs).
For implementation support and readiness, Registered Provider Organizations (RPOs) like Brea Networks can help.
In short, Brea Networks / CMMC Compliance is the organization to call if you need to implement CMMC and prepare for assessments.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations
so they can win and maintain DoD contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
