CMMC RESOURCES 

Achieving CMMC for DOD Contracting

Achieving Cybersecurity Maturity Model Certification (CMMC) is essential for Maryland Department of Defense (DoD) contractors and subcontractors. Below is a curated list of resources, including organizations offering financial assistance and support for CMMC compliance.  You can also download the list HERE. 

1. Maryland Defense Cybersecurity Assistance Program (DCAP)

• Description: Established in 2018, DCAP assists Maryland defense contractors with CMMC preparation, including gap analysis, System Security Plan (SSP) development, and Plan of Action and Milestones (POAM) creation.

• Financial Assistance: Maryland Manufacturing Extension Partnership (Maryland MEP) offers funding to qualifying Maryland manufacturers to offset costs associated with NIST 800-171/CMMC preparation and employee training.

• Contact: Sara Keith at skeith@mdmep.org  

• More Information: Maryland MEP Defense Cybersecurity Assistance Program

2. Johns Hopkins University Applied Physics Laboratory (JHU APL)

• Description: JHU APL provides a collection of government resources related to CMMC and cybersecurity, offering guidance to contractors seeking compliance.  

• More Information: JHU APL CMMC Resources 

3. Buy Maryland Cybersecurity (BMC) Tax Credit

• Description: The BMC Tax Credit incentivizes Maryland companies to purchase cybersecurity technologies and services from qualified Maryland cybersecurity providers, potentially reducing the financial burden of CMMC compliance.

•  Financial Assistance: Qualified Maryland companies may claim up to $50,000 in tax credits annually for eligible cybersecurity purchases.  

• More Information: Buy Maryland Cybersecurity Tax Credit
   

4. Defense Acquisition University (DAU)

• Description: DAU offers free and low-cost training modules on cybersecurity basics and compliance, tailored for DoD contractors and subcontractors.  

• More Information: DAU Training Resources

5. Maryland Business Express – Government Contracting Resources

• Description: Maryland Business Express provides information on government contracting, including insights into CMMC and its implications for businesses.  

• More Information: Maryland Business Express – Government Contracting

6. Project Spectrum

• Description: Project Spectrum is a Department of Defense initiative offering cybersecurity tools, training, and best practices to help small and medium-sized businesses improve their cybersecurity posture and comply with CMMC requirements. Create a free account on Project Spectrum to perform a readiness check. This will allow you to assess your readiness to meet the requirements.

• More Information: Project Spectrum

7. CMMC Information Institute

• What It Offers: Free and affordable templates, training videos, and resources for small businesses.

• Best For: Subcontractors on a tight budget seeking practical and actionable training materials.

• More Information: CUI Institute

8.  National Institute of Standards and Technology (NIST)

• What It Offers: Free guidance on implementing NIST SP 800-171 controls, which are foundational to CMMC, and detailed resources on cybersecurity practices.  Best For: Understanding technical requirements and best practices for CMMC.

• More information: NIST

Other Resources

• Cybersecurity Maturity Model Certification

• Cybersecurity Resources

• Supplier Performance Risk System (SPRS)

• Assessment & Auditing Resources

• Resources for Manufacturers

• Small Business Cybersecurity

Determining Required CMMC Levels: The CMMC framework comprises three maturity levels, each corresponding to the sensitivity of information handled and the associated cybersecurity practices:  

​

1. Level 1 (Foundational):

• Description: Focuses on basic safeguarding of Federal Contract Information (FCI).  

• Who Needs It: Contractors that handle FCI but not Controlled Unclassified Information (CUI).
   

2. Level 2 (Advanced):

• Description: Centers on protecting Controlled Unclassified Information (CUI).  

• Who Needs It: Contractors that handle CUI, requiring more stringent security measures.  
   

3. Level 3 (Expert):

• Description: Involves advanced cybersecurity practices for protecting CUI, including additional controls from NIST SP 800-172. 

• Who Needs It: Contractors involved in critical national security information and operations.  

• Practices: 110+ practices, including a subset from NIST SP 800-172.  

How to Determine Your Required CMMC Level:

• Review Contract Requirements: Examine your current DoD contracts to identify specified CMMC levels.

• Assess Information Handled: Determine whether your organization processes FCI, CUI, or critical national security information.  

• Consult with DoD Representatives: Engage with your DoD contracting officer or representative to clarify required CMMC levels based on your contractual obligations.

• Seek Professional Guidance: Speak to your APEX Accelerator Counselor for assistance. Consider consulting with cybersecurity experts or organizations specializing in CMMC compliance to accurately assess your required certification level.

CMMC EDUCATIONAL VIDEOS

CMMC Prep

Essential CMMC Compliance 

The Maryland APEX Accelerator is not liable for any business transactions with other organizations; please conduct your due diligence before engaging their services.