This brief guide explains some of the essential items required for CMMC:

System Security Plan (SSP)

Our CMMC 2.0 LevelUp process involves creating a System Security Plan (SSP) document that details each security control and tool your organization uses to protect its information systems, especially those handling sensitive data. Our team of Certified CMMC Professionals and Registered Practitioners has extensive experience in implementing tailored plans and delivering the necessary System Security Plan (SSP) for your organization.

Most organizations that handle sensitive data, including Controlled Unclassified Information (CUI) belonging to the US government, require a System Security Plan (SSP) to comply with cybersecurity regulations and strengthen their security posture.

  • Defense contractors and subcontractors

  • U.S. government agencies and their contractors

  • Defense Industrial Base (DIB) firms managing CUI to satisfy CMMC Level 2 requirements.

  • Cloud service providers (CSPs) seeking FedRAMP authorization.

  • Organizations with DoD contracts to meet DFARS clauses.

  • Other organizations handling sensitive data should maintain an SSP to demonstrate robust security practices.

  •  

Assessment Score for Supplier Performance Risk System

The SPRS is a numerical score derived from a NIST SP 800-171 assessment, with possible values ranging from -203 to 110. It evaluates a supplier’s potential performance and risk. The Department of Defense (DoD) uses this score during procurement. The score reflects data such as quality, delivery, and other criteria to indicate a supplier’s overall suitability for contracts.

The CTI Process on laptop screen

NIST SP 800-171 Assessment

A NIST SP 800-171 assessment evaluates how effectively an organization protects Controlled Unclassified Information (CUI) by following the security requirements set out in NIST Special Publication 800-171. This assessment helps organizations identify their current security posture and areas for improvement. It is especially important for organizations that handle CUI for the U.S. Department of Defense (DoD) or other federal agencies. The NIST SP 800-171 security requirements were created by the National Institute of Standards and Technology (NIST), and it is essential for contractors working with the DoD and other federal agencies to comply with these standards.

 

According to NIST

Compliance with NIST standards are levied as contractual requirements through inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. CMMC requirements result in a contractor self-assessment, or a third-party assessment by a CMMC Third Party Assessor Organization (C3PAO), to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements."

Registered Practitioner Organization (RPO)

A Registered Practitioner Organization (RPO), such as CTI – Continental Technologies, Inc., can help your organization achieve CMMC compliance. Our services include:

  • Preparing organizations to meet the requirements of CMMC Version 2 and NIST SP 800-171. For more information, please visit the official Cyber AB CMMC website and the NIST website.

  • Assisting federal contractors in complying with Federal Acquisition Regulation (FAR) Clause 52.204-21, which covers the implementation of basic cybersecurity controls for CMMC Level 1.

  • Conducting gap analyses to identify potential weaknesses in cybersecurity practices, as outlined in DFARS 252.204-7012 for protecting Controlled Unclassified Information (CUI) and FAR Clause 52.204-21 (FCI).

  • Collaborating with organizations to create a roadmap for compliance, address gaps, and build effective security architecture.

 

Important Information on the Ongoing Development of CMMC

CMMC requirements were introduced in 2020 and are being implemented gradually. By 2026, it is expected that all DoW contracts will require at least Level 1 Certification.

CMMC continues to evolve (for example, from CMMC 1.0 to 2.0), and requirements may change as new threats and best practices emerge. Stay informed about CMMC requirements and plan for ongoing compliance with CTI’s timeline.

First introduced in 2020, CMMC requirements are being phased in over time. By 2026, all DoW contracts will require at least Level 1 Certification.

What Our Clients Say

A local engineering company has been partnered with CTI for nearly two decades for assistance in our networking needs and this relationship is ongoing today. Currently, they are leading us to compliance in cybersecurity requirements being flowed down from the government. They have been instrumental in compliancy to NIST 800-171 as well as DFARS. Their people have a great understanding of security measures and translating what that means to our business while keeping business running. Our account managers have been professional and responsive. We look forward to many more years with CTI as our partner for IT solutions."

Local Engineering Company

Have a question about CMMC?

We would love to hear from you! Please fill out this form and we will get in touch with you shortly.







    What is 9 + 7 ? Refresh icon

    Are You Ready for CMMC Implementation?

    Take the Quiz