DoD Publishes CMMC Assessment Guides for Level One and Level Two Assessments

The Department of Defense (DOD) published the Cybersecurity Maturity Model Certification assessment guides for level one and level two assessments. The guides detail how contractors will have their networks inspected to be able to continue earning contracts. These two levels provide coverage for most contractors under the DoD. Level one is a self-assessment while level two requires some third-party assessments. The level two assessment guide consists of far more security controls and is aimed at assessors that are certified to validate contractor compliance. The level three guide is still under development.

The guides provide the listing of controls to test, assessment objectives, methods for potential assessment, as well as a discussion of the controls. Inspections will require documentation evidence and other forms of evidence to demonstrate that security controls are being met to ensure that cyber security practices are not only compliant but mature. The DOD is working on the rulemaking process to add the requirement to contracts in the coming years. Scoping documents are also published for the level one and level two assessments.

More information can be found here:

Level 1 Guide: https://www.acq.osd.mil/cmmc/docs/AG_Level1_V2.0_Final_20211210.pdf

Level 1 Scope Guide: https://www.acq.osd.mil/cmmc/docs/Scope_Level1_V2.0_FINAL_20211203.pdf

Level 2 Guide: https://www.acq.osd.mil/cmmc/docs/AG_Level2_MasterV2.0_FINAL_202112016.pdf

Level 2 Scope Guide: https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211203.pdf