Source & Authority Information
- •Federal Acquisition Regulation(accessed 2026-01-15)
- •SBA Federal Contracting(accessed 2026-01-15)
- •SAM.gov(accessed 2026-01-15)
Understanding Controlled Unclassified Information
NIST Special Publication 800-171 Requirements
- Access Control: Limit system access to authorized users and restrict what those users can do based on their roles and responsibilities. Implement multifactor authentication for privileged accounts and remote access.
- Awareness and Training: Ensure personnel understand their security responsibilities and can recognize and respond to security threats. Provide regular training on policies and procedures.
- Audit and Accountability: Create and maintain audit logs that enable tracking of user activities and system events. Protect audit information from unauthorized access and modification.
- Configuration Management: Establish and maintain secure baseline configurations for systems and components. Control and document changes to configurations.
- Identification and Authentication: Verify the identity of users, processes, and devices before granting access. Use strong authentication mechanisms appropriate to risk levels.
- Incident Response: Establish procedures for detecting, reporting, and responding to security incidents. Test incident response capabilities periodically.
- Maintenance: Perform regular maintenance on systems while protecting CUI. Control tools used for maintenance and ensure maintenance personnel are authorized.
- Media Protection: Protect physical and digital media containing CUI throughout its lifecycle including storage, transport, and disposal.
- Personnel Security: Screen individuals before granting access to systems containing CUI. Ensure departing personnel no longer have access.
- Physical Protection: Limit physical access to systems and equipment to authorized individuals. Protect facilities and equipment from environmental hazards.
- Risk Assessment: Periodically assess risks to organizational operations, assets, and individuals from operating systems containing CUI.
- Security Assessment: Periodically assess security controls to determine effectiveness. Develop and implement remediation plans for identified deficiencies.
- System and Communications Protection: Monitor and control communications at system boundaries. Implement cryptographic mechanisms to protect CUI during transmission.
- System and Information Integrity: Identify, report, and correct system flaws in a timely manner. Protect systems against malicious code.
DFARS Clause 252.204-7012
Cybersecurity Maturity Model Certification
- 1Determine applicable CMMC level
Review current and target contracts to identify required CMMC levels. Level determination depends on information sensitivity and contract criticality. Most contracts involving CUI will require Level 2 certification.
- 2Conduct gap assessment
Evaluate current security posture against applicable CMMC practices. Identify gaps between current implementation and required controls. Document findings and prioritize remediation based on risk and timeline.
- 3Develop and implement remediation plan
Create detailed plans addressing identified gaps with specific actions, responsibilities, timelines, and resources. Implement remediation systematically, documenting evidence of control implementation.
- 4Prepare System Security Plan
Document your security implementation in a comprehensive System Security Plan describing how each required control is implemented in your environment. The SSP is essential documentation for assessment.
- 5Conduct internal assessment
Perform self-assessment against CMMC practices to verify remediation effectiveness and readiness for external assessment. Identify and address any remaining gaps before scheduling third-party assessment.
- 6Schedule and complete certification assessment
Engage a CMMC Third Party Assessor Organization for Level 2 certification or prepare for government-led assessment for Level 3. Maintain evidence supporting control implementation throughout assessment process.
