Achieving the CMMC for your organization can be a daunting and overwhelming job.
No matter your current state of Cybersecurity, to have a clear path forward, the initial step must be an in-depth and impartial look at your organization’s Cybersecurity. Our CMMC GAP Assessment does precisely that.
Conducting a thorough inquiry defines the discrepancies between your current status and CMMC requirements based on the CMMC Level you want to achieve.
The DOD has implemented a new cybersecurity framework standard called the Cybersecurity Maturity Model Certification (CMMC) to simplify the Department of Defense (DOD) contractors’ requirements. This new standard includes NIST 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21 and beyond. This new model replaces NIST 800-171 on DoD RFIs and RFPs.
Most companies who do business with the DOD are required to undergo an inspection by an accredited auditing entity before bidding on a contract or subcontracting to a prime.
The CMMC consists of two parts, each with five maturity levels of certification:
The first part is the Processes, such as whether policies, standards, and procedures exist and varying in maturity levels from Performed (Level 1) to Optimized (Level 5).
The second part is the Practices, a checklist of cybersecurity items that range from Basic Cybersecurity Hygiene (Level 1) to Advanced/Progressive (Level 5).
The DoD requires organizations to meet both Processes and Practices for the level they are trying to achieve. Once a company passes the certification process, they receive a certificate that is valid for three years.
We can help with our CMMC Consulting Service by starting with CMMC focused implementation plan today.
Depending on your current cybersecurity status and the CMMC Level you need to achieve, implementing the new standard can take several months. By implementing the requirements and cybersecurity best practices, you will save precious time and get ahead of the curve and competition.
Once the final CMMC standard is released, we will help you make final adjustments and implementations to ensure you are compliant and ready for the certification audit.
See where you stand and which areas you have to address to achieve compliance.
Receive help in achieving compliance and be ready for the CMMC audit. To provide a clear implementation path, we are at your side to support you with documentation, advise and execute proper controls, monitor, and perform a pre-certification audit.
CMMC Level 1 is the base level of certification and consists of practices that correspond to essential safeguarding conditions in Federal Acquisition Regulation (FAR) clause 52.204-21. It consists of 17 basic cybersecurity practices such as implementing Identity and Authentication and basic Access Controls. Level 1 is all about protecting Federal Contract Information (FCI), and the DoD requires it for anyone obtaining a DoD contract.
The purpose of Level 2 is to create a base level of cybersecurity for any organization that has Controlled Unclassified Information (CUI) in their organization and, therefore, requires a higher level of security than those who only have FCI and not CUI. CMMC Level 2 certification requires recorded policies for each of the 17 domains covered by the CMMC and documented practices for completing the policies for each domain. It is also a more extensive set of security practices that are a subset of the security requirements listed in NIST SP 800-171, with a total of 55 additional practices in addition to those listed in Level 1.
At Level 3, the focus is on fleshing out the base security practices instituted in Levels 1 & 2 and expanding its overall security. CMMC Level 3 certification requires that the organization establish and maintain a plan that shows the plan for the implementation of CMMC. Currently, the practices encompass all the security requirements in NIST SP 800-171 and additional practices and standards for a total of 58 new practices in addition to those listed in Level 2.
If an organization is required to achieve Level 4 certification, then the central focus shifts to heightening its effectiveness of protecting CUI from Advanced Persistent Threats (APTs). Although it doesn’t have as many new practices to complete as Levels 2 and 3, the practices listed are more involved and arduous to execute and manage. CMMC Level 4 requires that an organization review and measure practices for effectiveness and implement a subset of heightened security practices from DRAFT NIST SP 800-171B and other security best practices for a total of 26 additional practices.
CMMC Level 5 requires organizations to standardize and optimize process implementation over the organization. This level centers on CUI’s security from APTs and implements many more high-level security practices for the organization. The added practices enhance the depth and posture of cybersecurity techniques for the organization and consists of an additional 15 practices above CMMC Level 4.
The DoD is working to roll out the CMMC with a target of 10 RFIs and 10 RFPs with CMMC requirements by the end of 2020. While the first steps are expected to take place over the next year, full implementation of the CMMC will be gradually rolled out through 2025 with over half of the prime and subcontractors assessed by 2022. Important dates for the CMMC include:
Our Cybersecurity specialists will be on-site to interview managers and investigate your current security posture. You will receive a CMMC gap analysis report verifying these investigations’ findings against the CMMC Level requirements.
Not only will this report give you clarity about your organization’s current standing, but it will also provide you with general cybersecurity best practices for your company.
Our pricing proposals are entirely transparent so that you won’t get any surprises. Take the first step in adjusting your information security requirements.
If you would like to speak to our team to discuss your CMMC consultancy, please contact us.