The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended
Examples of CUI
The CMMC consists of 5 Levels of cybersecurity readiness. Theses level range from basic cyber hygiene to advance cyber practices. In total, there are 171 practices that must be met for compliance.
DoD contractors should immediately learn the CMMC's technical requirements and prepare not only for certification, but long-term cybersecurity agility. Details on how the CMMC assessments will be conducted, and how to challenge those assessments, are anticipated soon. DoD contractors that have already started to evaluate their practices, procedures and gaps when the details are finalized will be well-positioned to navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.
Our CMMC preparation services are provided to help you meet the requirements set for by the Department of Defense and CMMC Accreditation Body for the desired certification level. Our offering currently provides consulting up to level CMMC Level 3. Specifically it includes a gap analysis, compliance assessment and policy reviews as applicable. The determination of cost and scope will be based on required level and current security implementation. Other services can be included as required. Additionally, as part of the CMMC preparation we also provide recommendation to help with corrective actions.
We perform a detailed analysis of your current network and compare it with the cyber security controls required in NIST 800-171. We prepare a System Security Plan (SSP) & Plan-of-Action & Milestones (PO&AM) providing documented evidence to the DoD or your Prime that you’re on your way towards compliance. In this phase we also help create any policies and procedures needed to meet the CMMC requirements.
In this step, the items called out in the Plan-of-Action & Milestone (PO&AM) are addressed. Depending on the current state of your IT systems, this can be as simple as implementing multi-factor authentication and security awareness training or as complex as refreshing an entire aging infrastructure.
As part of our guarantee we offer an additional block of hours to be used at the conclusion of the preparation and remediation phases. These hours are used to answered new questions or to ensure changes made after the consulting support your certification success and not hinder it.