The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements.
Am I ready for a CMMC audit?
What maturity level does my organization need to pursue?
We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only create documentation but also establish continuous monitoring and CMMC Assessment & Gap Analysis.
No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.
CMMC Assessment & Gap Analysis
This is your first step in preparing for CMMC compliance. We will perform a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total).
Depending on your organization’s infrastructure, we will complete the compliance assessment onsite or through remote access.
Upon completion of the CMMC assessment and gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns. build IT infrastructure to maintain your CMMC compliance. CMMC compliance.
CMMC System Security Plan (Policies & Procedures) Engagement
For organizations that have more robust IT knowledge, we will work alongside their IT department to manage the compliance paperwork and procedures while they implement the CMMC measures.
The SSP Engagement includes writing and maintaining the CMMC SSP Plan (to meet ML 3.997, ML 2.998, & ML 2.999). We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.
CMMC 2.0 Three Levels Explained
CMMC 2.0 will replace the five-level model of CMMC 1.0 with three progressively more complex levels of cybersecurity requirements, each keyed to independently established standards (e.g., Federal Acquisition Regulation (FAR) requirements, NIST requirements). The new model will also increase oversight of third-party assessors and eliminate all “maturity” requirements and CMMC-unique practices.
CMMC 2.0’s “Foundational” Level 1 consists of companies that hold only Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
CMMC 2.0’s “Advanced” Level 2 certification is based on the old CMMC “Level 3,” with a bifurcation of “prioritized acquisitions” and “non-prioritized acquisitions” in relation to the sensitivity of Controlled Unclassified Information (CUI) involved.
CMMC 2.0’s “Expert” Level 3 will replace existing Levels 4 and 5. Most notably, acquisitions at this level will require triennial government-led assessments (i.e., not by C3PAOs).
Summary of Key Updates: CMMC 1.0 vs. CMMC 2.0
Source: U.S. Department of Defense Office of the Under Secretary of Defense Acquisition and Sustainment CMMC website: https://www.acq.osd.mil/cmmc/about-us.html
Accelerate Your Advisory Services
with Caplock Security:
- We offer a pragmatic, hands-on approach tailored to meet your organization’s individual needs.
- We provide action-oriented recommendations designed to provide time to value in improving your security posture.
- We maximize your investment in Advisory Services through a framework of Workshops to Advisory Engagement to Security Assessment & Testing Services.
- Our Advisory Services team has decades of global experience with a deep understanding of Governance Risk & Compliance (ISO, NIST), Privacy regulations, and PCI DSS Compliance.