Introduction

Navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) can be daunting for any organization doing business with the Department of Defense (DoD). Whether you are a long-time contractor or trying to get your first DoD contract, understanding your current CMMC level is a crucial part of your compliance journey. This blog outlines the top four easiest ways to assess your current CMMC level. From reviewing your existing contracts to evaluating future business goals, it provides a clear roadmap to help you identify your current position so you can start taking steps towards becoming compliant.

Steps to identifying your current CMMC level

To determine your company’s CMMC level, it’s important to consider your existing contracts, any attestations or questionnaires your company has submitted to customers, the markings of the documents and data your company has received, and future business goals.

01

Search your existing contracts - if your existing contracts have a DFARS clause 252.204-7012 in your contract, you must meet the Level 2 requirements because you’re handling CUI data.

02

Search for questionnaires or cybersecurity attestations – See what you’ve received from customers. ‍

03

Look at the data you receive from your customers - Is any of it marked as CUI or ITAR? CUI data is very often inconsistently labeled across the DoD and prime customers. If you have data or documents marked as CUI, you are almost certain to be CMMC Level 2. ITAR is a form of CUI - if you handle ITAR data, you are likely CMMC Level 2. ‍

04

Evaluate business goals and future contracts - Are you planning on growing your business to do more work that might include these requirements – we work with a lot of small but growing businesses that may not handle these requirements today but will likely go after contracts that do in the next 12-18 months. If this sounds like your company, reference the CMMC timeline section to understand more about the time it takes to be prepare for these requirements.

‍

How to identify your CMMC level?

If you have DFARS 7012, NIST 800-171, or are handling CUI data in your current contract, you are a minimum of CMMC Level 2. If you don’t have these requirements, you are likely CMMC 1.

Are you CMMC level 1?

Are you CMMC level 2 or 3?

**Identifying if you are CMMC Level 2 or 3**

Conclusion

Understanding and identifying your current CMMC level is an essential step for any business working with or aspiring to work with the Department of Defense. By following the four steps outlined in this blog—reviewing existing contracts, searching for questionnaires or attestations, examining the data you’ve received, and evaluating your business's future goals—you can determine your CMMC level. If you’re still having trouble identifying your current CMMC level, feel free to schedule a time to talk to one of our cybersecurity experts.

‍

4 Steps To Identify Your Current CMMC Level

Introduction

Steps to identifying your current CMMC level

01

Search your existing contracts - if your existing contracts have a DFARS clause 252.204-7012 in your contract, you must meet the Level 2 requirements because you’re handling CUI data.

02

Search for questionnaires or cybersecurity attestations – See what you’ve received from customers. ‍

03

04

How to identify your CMMC level?

Are you CMMC level 1?

Are you CMMC level 2 or 3?

Conclusion

Related Blogs

Why Should CMMC Compliance Be A Priority?

What’s The Difference Between FAR and DFARS?

Top 3 Things To Know About The Cybersecurity Maturity Model Certification (CMMC)?

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements