Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!
Request Demo
Hero compliance cmmc

CMMC Compliance

Download Data Sheet

CMMC and Third-Party Risk Management

On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all future DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.

CMMC requires companies achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.

All DoD contractors must be certified in one of five levels, from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) based on the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.

Although certified auditors (C3PAOs) must assess DoD contractors in order to demonstrate compliance with their target level of certification, companies that are doing, or wish to do, business with the US federal government can assess themselves against the requirements as well.

CMMC Certification Levels Overview

  • Level 1 – Applies to 285,000 DoD contractors and requires that the company report against 17 no-cost controls which are based on good business practices and standard cyber hygiene

  • Level 2 – Transitional level for organizations with the resources to reach for Level 3

  • Level 3 – Applies to contractors that are approved to touch controlled unclassified information (CUI) and requires those companies by law to demonstrate certification against all 110 controls in NIST 171

  • Levels 4 & 5 – Apply to a very small percentage of all DoD suppliers

Prevalent for CMMC Auditors

CMMC certified auditors can use the Prevalent Third-Party Risk Management Platform with all five levels of CMMC controls questionnaires included.

Prevalent for CMMC Responders

DoD contractors can use the Prevalent Third-Party Risk Management Platform to conduct a CMMC Level 1 pre-assessment prior to the formal audit.

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Download the Paper
Featured resource compliance white paper

Meeting CMMC TPRM Requirements

Please see the table below for a summary of the 17 CMMC requirements by domain and level. The Prevalent Third-Party Risk Management Platform has built-in questionnaires for each level, enabling C3PAOs to assess all DoD contractors, and contractors to assess themselves – especially for Level 1 compliance.

CMMC Domain & Capabilities Practice Numbers by Level of Certification

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

Level 1
1.001, 1.002, 1.003, 1.004

Level 2
2.005, 2.006, 2.007, 2.008, 2.009, 2.010, 2.011, 2.013, 2.015, 2.016

Level 3
3.017, 3.018, 3.019, 3.012, 3.020, 3.014, 3.021, 3.022

Level 4
4.023, 4.025, 4.032

Level 5
5.024

Asset Management (AM)

  • Identify and document assets
  • Manage asset inventory

Level 3
3.036

Level 4
4.226

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Level 2
2.041, 2.042, 2.043, 2.044

Level 3
3.045, 3.046, 3.048, 3.049, 3.050, 3.051, 3.052

Level 4
4.053, 4.054

Level 5
5.055

Awareness and Training (AT)

  • Conduct security awareness training
  • Conduct training

Level 2
2.056, 2.057

Level 3
3.058

Level 4
4.059, 4.060

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

Level 2
2.061, 2.062, 2.063, 2.064, 2.065, 2.066

Level 3
3.067, 3.068, 3.069

Level 4
4.073

Level 5
5.074

Identification and Authentication (IA)

  • Grant access to authenticated entities

Level 1
1.076, 1.077

Level 2
2.078, 2.079, 2.080, 2.081, 2.082

Level 3
3.083, 3.084, 3.085, 3.086

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared event
  • Perform post incident reviews
  • Test incident response

Level 2
2.092, 2.093, 2.094, 2.096, 2.097

Level 3
3.098, 3.099

Level 4
4.100, 4.101

Level 5
5.106, 5.102, 5.108, 5.110

Maintenance (MA)

  • Manage maintenance

Level 2
2.111, 2.112, 2.113, 2.114

Level 3
3.115, 3.116

Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Level 1
1.118

Level 2
2.119, 2.120, 2.121

Level 3
3.122, 3.123, 3.124, 3.125

Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

Level 2
2.127, 2.128

Physical Protection (PE)

  • Limit physical access

Level 1
1.131, 1.132, 1.133, 1.134

Level 2
2.135

Level 3
3.136

Recovery (RE)

  • Manage backups
  • Manage information security continuity

Level 2
2.137, 2.138

Level 3
3.139

Level 5
5.140

Risk Management (RM)

  • Identify and evaluate risk
  • Manage risk
  • Manage supply chain risk

Level 2
2.141, 2.142, 2.143

Level 3
3.144, 3.146, 3.147

Level 4
4.149, 4.150, 4.151, 4.148

Level 5
5.152, 5.155

Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

Level 2
2.157, 2.158, 2.159

Level 3
3.161, 3.162

Level 4
4.163, 4.164, 4.227

Situational Awareness (SA)

  • Implement threat monitoring

Level 3
3.169

Level 4
4.171, 4.173

Systems and Communication Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

Level 1
1.175, 1.176

Level 2
2.178, 2.179

Level 3
3.177, 3.180, 3.181, 3.182, 3.183, 3.184, 3.185, 3.186, 3.187, 3.188, 3.189, 3.190, 3.191, 3.192, 3.193

Level 4
4.197, 4.228, 4.199, 4.202, 4.229

Level 5
5.198, 5.230, 5.208

System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

Level 1
1.210, 1.211, 1.212, 1.213

Level 2
2.214, 2.216, 2.217

Level 3
3.218, 3.219, 3.220

Level 4
4.221

Level 5
5.222, 5.223

Prevalent and the CMMC

CMMC certified auditors can leverage the Prevalent Third-Party Risk Management Platform with built-in questionnaires to assess all five levels of CMMC certification. With this access, certified auditors can:

  • Invite clients into the Prevalent platform to complete their standardized control assessment in an easy-to-use, secure tenant
  • Automate chasing reminders to clients to reduce the time required to complete assessments
  • Centralize supporting documents submitted as evidence of the presence of controls
  • View a single register of risks raised depending on how the client responds to the questions
  • Issue remediation recommendations for failed controls
  • Deliver customized reporting on the current level of compliance, demonstrating the risk-reducing impact of the application of future controls

Any DoD contractor can conduct a Level 1 pre-assessment prior to the formal audit to:

  • Assess against the 17 controls required to measure Level 1 compliance
  • Upload documentation and evidence to support answers to questions
  • Gain visibility into current compliance status
  • Leverage built-in remediation guidance to address shortcomings prior to your formal audit
  • Produce reporting to measure compliance for auditors
Requirements & Guidelines Addressed by Prevalent
  • AICPA SOC 2
    AICPA Service Organization Control (SOC) 2
  • CCPA
    California Consumer Privacy Act
  • CSA CAIQ
    CSA Consensus Assessments Initiative Questionnaire
  • CTSCA
    California Transparency in Supply Chains Act
  • EBA
    EBA Guidelines on Outsourcing Arrangements
  • EO
    Executive Order on Improving the Nation's Cybersecurity
  • EU
    European Corporate Due Diligence Act
  • FCA
    FCA FG 16/5
  • FCPA
    Foreign Corrupt Practices Act
  • FFIEC
    FFIEC IT Examination Handbook
  • GDPR
    General Data Protection Regulation (GDPR)
  • HIPAA
    HIPAA Security Rule
  • ISO
    ISO 27001 / 27002 / 27018 / 27036-2 / 27701
  • Modern Slavery
    UK Modern Slavery Act of 2015
  • NERC
    NERC Critical Infrastructure Protection (CIP) Standard
  • NIST
    NIST SP 800-53r4 / SP 800-161 / CSF v1.1
  • NYDFS
    New York State DFS NY CRR 500
  • NY SHIELD
    NY Stop Hacks & Improve Electronic Data Security Act
  • OCC
    OCC Bulletins
  • PCI DSS
    Payment Card Industry Data Security Standard
  • UK Bribery
    Bribery Act of 2010
    • Featured Resources
    • Ready to get started?
    • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
    • Request a Demo