with robust defenses against cyber threats. Once CMMC 2.0 is formally published and released it will
            serve as the mandated framework for private contractors seeking government contracts.

            What sets CMMC apart is its comprehensive approach, transcending mere regulatory compliance. It
            incorporates not only NIST SP 800-171, NIST SP 800-172, and CSF (Cyber security framework) but also
            integrates industry-leading practices. CMMC facilitates the  assessment of a business's cybersecurity
            program, ensuring the effective implementation of critical controls while safeguarding the integrity of the
            supply chain.

            CMMC 2.0 compliance certification includes three distinct levels:

               •  Level 1 is Foundational. Designed for companies handling Federal Contract Information (FCI) but
                   do not handle Controlled Unclassified Information (CUI).
               •  Level 2 is Advanced. This level is for any company that stores, processes, or transmits CUI,
                   whether it is in electronic or paper form. Basically, the same as NIST SP 800-171 requirements.
               •  Level 3 is Expert. This level includes highly advanced cybersecurity practices.

            When it appears in government-awarded contracts in the future, it will be referred to as DFARS 242.204-
            7021.



            What is NIST SP 800-171?

            NIST SP 800-171 is short for National Institute of Standards and Technology Special Publication 800-
            171.

            Complying  with  NIST  800-171  is  a  requirement  for  all  DoD  primes,  contractors,  or  anyone  in  their
            downstream  supply  chain of  service  providers.  Not  complying with  NIST  800-171  doesn’t  just  mean
            you’re practicing poor cybersecurity methods; it also means you’re not keeping up with your competitors.
            Some of your customers may have already asked whether or not you are compliant, and if they haven’t
            – they will.

            NIST 800-171, which outlines security standards for non-federal organizations that transmit, process, or
            store  CUI  as  part  of  their  working  relationships  with  federal  agencies.  It  also  outlines  five  core
            cybersecurity  areas;  identify,  protect,  detect,  respond,  and  recover.  These  core  areas  serve  as  a
            framework for developing an information security program that protects CUI and mitigates cyber risks.

            NIST 800-171 consists of 110 separate security controls corresponding to 14 different control families.
            Within the 110 security controls, there are 320 control or assessment objectives that must be met to be
            considered compliant. NIST 800-171 is a contractual requirement to protect and safeguard CUI for the
            DoD,  the  General  Services  Administration  (GSA),  and/or  the  National  Aeronautics  and  Space
            Administration (NASA).

            Your score for the NIST 800-171 Self-Assessment is based on a 110-point scale. Each of the 110 controls
            is assigned a weighted subtractor value of either 1, 3, or 5 points. If you’ve implemented a control, you
            get that number of points. If not, those points are subtracted from the 110 points. Your score can range






                                                                                                            188