What are the requirements for CMMC compliance?
Level 1 is manageable. It consists of 15 basic security requirements that your business should already be practicing. And you can be certified by completing an annual self-assessment. Every defense contractor handles FCI and must therefore practice CMMC Level 1.
Level 2 requires focused effort to achieve. There are 110 requirements that align with NIST SP 800-171. The NIST emphasizes that it is important to work with a qualified consultant to be compliant at this level. Most small businesses with defense contracts handle CUI and must practice CMMC Level 2. At this level, you must be assessed by a CMMC Third-Party Assessment Organization (C3PAO) every three years.
Level 3 applies to select prime contractors and involves a government-led assessment every three years. Most defense contractors will not be subject to CMMC Level 3.
Who can perform a CMMC assessment?
CMMC assessments are completed by a CMMC Third-Party Assessment Organization (C3PAO).
Level 2 assessments must be performed by a Certified CMMC Assessor (CCA). Only US citizens can be on the assessor team.
The company you hire as your Registered Practitioner Organization (RPO) cannot also act as your C3PAO. An individual that acts as your Registered Practitioner (RP/RPA) cannot be one of your assessors.