CMMC Resources

Cybersecurity Maturity Model Certification (CMMC)

A cybersecurity standard designed to protect Controlled Unclassified Information (CUI) across the defense industrial base. CMMC outlines a tiered approach to cybersecurity, requiring contractors to demonstrate practices and processes appropriate to the level of information they handle. This resource page is designed to help you understand the CMMC framework, answer frequently asked questions, and to give your organization access to CMMC tools and guidance.

Once the CMMC Rule goes into effect, DOD solicitations will require a minimum CMMC Status to process, store, or transmit associated sensitive unclassified information. Therefore, the minimum CMMC Status will be required to download CUI documents that are available on the Member’s Only sites.

  • Organizations that hold the minimum CMMC Status will be granted full access to CUI materials.
  • Organizations without the minimum required CMMC Status may be provided with restricted, view-only access to CUI materials.

Defense contractors or subcontractors who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to obtain a CMMC status.

The DOD CIO Resources & Documentation webpage includes detailed scoping and assessment guidance for each of the CMMC levels and assessment types. In general, the steps to achieve any CMMC Status will include:

  1. Identify the CMMC Status you intend to achieve.
  2. Determine the CMMC Assessment Scope applicable to your CAGE code(s) and the desired CMMC Level.
  3. Implement the security requirements corresponding to the desired CMMC Level.
  4. Undergo the appropriate assessment.
  5. Enter your assessment into SPRS or wait for confirmation from your third-party assessor that your score has been submitted.
  6. Affirm your compliance in SPRS.
  7. Maintain continuous compliance with annual affirmations and periodic assessments for the applicable CMMC level.

Yes, while each status has its own set of requirements related to the assessment, the actions below must be completed prior to submitting your CMMC assessment score in SPRS:

  • Obtain an active UEI
  • Register in SAM.gov
  • Add your CAGE Code to the Procurement Integrated Enterprise Environment (PIEE) Vendor Group Structure
  • Review the CMMC Framework and specific status requirements for each CMMC Status

The DD2345 certification does not directly relate to the CMMC model but having a DD2345 ensures several pre-requisites to CMMC compliance have been met. DD2345 certification requires an active Commercial and Government Entity (CAGE) Code, Unique Entity Indicator (UEI) registered in the System for Award Management (SAM) and to have a National Institute of Standards and Technology (NIST) Self-Assessment completed and uploaded to the Supplier Performance Risk System (SPRS). The NIST Assessment are the same requirements that are assessed during an Organization’s CMMC assessment.

  • DD2345: Complete the NIST SP 800-171 R2 with a score of 88 or higher
  • CMMC Level 2: Complete the NIST SP 800-171 R2 with a score of 110

During the application process and throughout the Membership, each Organization will be asked to identify whether or not it has a current CMMC Status. If the organization has a current CMMC Status, it will need to provide a PDF of the organization’s CMMC record from SPRS. The record must include the following information:

  • CMMC Unique Identifier (UID)
  • CMMC Status (Level 1 – Level 3 DIBCAC)
  • CAGE Codes covered by the assessment scope
  • CMMC Status and Affirmation dates

You must be either the Electronic Businessperson in Sam.gov or have been granted the Cyber Vendor / Contract Cyber Vendor Role in PIEE.

For further instructions on registering in PIEE please visit  https://www.sprs.csd.disa.mil/pdf/SPRS_Access_CyberReports.pdf

  1. Access the PIEE Portal
  2. Click the SPRS icon
  3. Select “Cyber Reports (CMMC & NIST)”
  4. Select the appropriate “CAGE & hierarchy combination” from the drop-down list for the location related to your membership
  5. Click “Run Reports”
  6. Select the appropriate tab corresponding to your certification level (CMMC Level 1, CMMC Level 2 Self-Assessment, CMMC Level 2 C3PAO, CMMC Level 3 DIBCAC)
  7. Select the “Details” button under CMMC Unique Identifier (UID)
  8. Expand the “Affirmation Contact(s) and History” drop down.
  9. Select “Save as PDF” to download the document

Want to Learn More? Visit the Government FAQ & Resources pages for additional information →

New 2025 CMMC Webinar Series

ATI, in partnership with Cuick Trac by Beryllium InfoSec, will be hosting a series of six webinars to provide you information regarding the upcoming implementation of the Cybersecurity Maturity Model Certification (CMMC) Program.

Join Our Next CMMC Webinar:

A Lead CCA’s Breakdown of How to Prepare for a Level 2 Assessment

November 19th, 2025 at 1PM ET

Upcoming CMMC Webinars

December 2025 | How an MSP/MSSP Supports FCI & CUI Requirements

January 2025 | Pursuing CUI Contracts for the First Time: Where to Start & What to Know

February 2026 | Understanding the Flow Down Requirement

Most Recent Webinars

With the 48 CFR rule on the horizon, the DoD is preparing to formally integrate CMMC into defense contracts. This webinar provides practical, forward-looking guidance on:

🟣 The current state of CMMC and compliance readiness
🟣 What to expect as 48 CFR is finalized and enforced
🟣 Lessons learned from recent Level 2 assessments
🟣 How OSCs can prepare now—no matter where they are today

View Presentation Here
View Webinar Here

 

 

CMMC Level 2 certification can feel overwhelming, but hearing lessons directly from recent assessments helps cut through the noise. In this session, Katie Dodson, President of Hive Systems Defense Solutions, will share real-world experiences of what led to successful outcomes, as well as where organizations ran into challenges.

Attendees will walk away with:

  • A clear picture of what C3PAOs are looking for during an assessment
  • Success stories vs. common pitfalls and how to avoid them
  • Practical takeaways Organizations Seeking Certification (OSCs), can apply as they prepare for their own certification
View Presentation Here
View Webinar Here
 

6

Part Webinar Series 2024

The series took place between  May 21st, 2024 and was held monthly until November 14th, 2024.
Information, recordings, and presentations of these webinars can be viewed below.

May 21, 2024

A lot has changed since the Cybersecurity Maturity Model Certification (CMMC) program was announced in July 2019. Many businesses subject to DFARS 7012 are confused and worried about certification, budget, and staffing, and so much more.

So what does the future of CMMC hold for government contractors?

Webinar Presentation is Available Here!

June 20, 2024

Protecting CUI starts with scoping. Since not all information is on the same level of sensitivity as CUI, CDI, and CTI, you’ll need to define a scoping boundary around the technology, people, and places that will process, store, or transmit sensitive data.

Paul Netopski, Director of Compliance Advisory for Cuick Trac, and Derek White, Co-founder & Chief Product Officer of Cuick Trac, examine the steps to scoping and why the order of process matters. They also discuss how to determine your infrastructure needs-on-prem, GovCloud or enclave-and how to build this into a continuous compliance program.

Webinar Presentation is Available Here!

July 18, 2024

Since not all data is CUI-related or in scope, data segmentation is a critical step to enclaving.  But not all enclaves are created equal.

Join Jeff Baldwin, D.Sc., Beryllium InfoSec’s Chief Information Security Officer (CISO), and Heather Engel, Managing Partner at Strategic Cyber Partners, to learn the steps to segmentation, plus the pros and cons of enclaving, and which type of enclave takes the burden of configuration, systems administration, data management, audit and reporting, and more out of your team’s hands.

Webinar Presentation is Available Here!

August 28, 2024

As your CMMC compliance efforts get underway, it’s time to look at the Shared Responsibility Matrix.  An SRM gives you clear guidance on who is responsible for each of the 320 assessment objectives.  And while you have the responsibility of providing proof that your organization meets all objectives, what about any vendors you work with?  What’s their responsibility?

Webinar Presentation Available Here!

September 24, 2024

As CMMC becomes closer to reality, there’s lots of buzz and questions regarding the certification process conducted by a CMMC 3rd Party Assessment Organization (C3PAO).  The previous webinars in this series have focused on the specific elements needed to prepare, but what happens during an actual assessment?


Webinar Presentation Available Here!

November 14, 2024

On October 16, 2024, 32 CFR Part 170 was officially added to the Federal Register, making CMMC an official program.  This major milestone will have significant impact on organizations that want to be awarded DoD contracts.

View the presentation slides here!

CMMC Resources

“The CMMC Program helps ensure that DoD contractors and subcontractors comply with DoD requirements to safeguard FCI and CUI.”

Department of Defense, Chief Information Officer

Department of Defense – Presentation Slides on CMMC

CMMC Alignment to NIST Standards

Technical Application of CMMC Requirements

The Supplier Performance Risk System (SPRS)

CMMC Level Determination