CMMC Compliance Services

The Cybersecurity Maturity Model Certification (CMMC) is a certification program developed by the Department of Defense (DoD) to ensure that companies entrusted with national security information meet certain cybersecurity standards. The CMMC program builds on the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which requires contractors to implement the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

CMMC has two versions: CMMC 1.0 and CMMC 2.0. CMMC 1.0 was introduced in September 2020 and outlines the basic features of the framework, which include a tiered model, required assessments, and implementation through contracts. CMMC 1.0 has five maturity levels, and contractors must be certified at the appropriate level to bid on DoD contracts.

CMMC 2.0 was announced by the DoD in November 2021, and it introduces several key changes that build on and refine the original program requirements. The new program structure and requirements aim to safeguard sensitive information to enable and protect the warfighter, enforce DIB cybersecurity standards to meet evolving threats, ensure accountability while minimizing barriers to compliance with DoD requirements, and perpetuate a collaborative culture of cybersecurity and cyber resilience. The model has been streamlined from 5 maturity levels to three maturity levels (Expert level 3, Advanced level 2, Foundational level 1) containing 110+ practices based on NIST 800-171/172, 110 practices based on NIST 800-171, and 15 practices respectively.

CMMC 2.0 is designed to focus on the most critical requirements and is aligned with widely accepted standards, such as the National Institute of Standards and Technology (NIST) cybersecurity standards. The updated program also allows companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments, which can help reduce assessment costs. The program requires higher accountability and oversight of professional and ethical standards of third-party assessors. Companies will be required to comply once the forthcoming rules go into effect, and the Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period.

CyberCrest offers a range of CMMC consulting services to help organizations understand and comply with the requirements of the CMMC program, including readiness assessments, gap analysis, policy and procedure development, and implementation support.

CMMC (Cybersecurity Maturity Model Certification) is a framework developed by the Department of Defense (DoD) to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The CMMC framework includes cybersecurity standards that companies entrusted with national security information must implement at progressively advanced levels, depending on the type and sensitivity of the information.

On the other hand, NIST 800-171 and DFARS 7012 are requirements that apply specifically to companies that handle Controlled Unclassified Information (CUI) for the DoD. NIST 800-171 specifies the minimum security requirements that need to be met for the protection of CUI in non-federal systems and organizations. DFARS 7012 requires companies to implement the security requirements of NIST 800-171 as a condition of contract award.

While NIST 800-171 and DFARS 7012 are specifically focused on the protection of CUI, CMMC is a more comprehensive framework that includes cybersecurity standards for all types of sensitive unclassified information. Additionally, while NIST 800-171 and DFARS 7012 require self-attestation and do not involve third-party assessments, CMMC requires third-party assessments to verify the implementation of cybersecurity standards.

CMMC also introduces a tiered model of cybersecurity standards with three levels, as opposed to the one-size-fits-all approach of NIST 800-171 and DFARS 7012. CMMC 2.0, in particular, includes a streamlined model that is focused on the most critical cybersecurity requirements and aligned with widely accepted standards, reducing assessment costs and providing greater flexibility for implementation.

Overall, while NIST 800-171 and DFARS 7012 are important requirements for companies that handle CUI for the DoD, CMMC is a more comprehensive framework that includes cybersecurity standards for all types of sensitive unclassified information and introduces a tiered model of cybersecurity standards.

CMMC certification is a process in which a third-party assessor verifies that a company’s cybersecurity practices meet the requirements of the Cybersecurity Maturity Model Certification (CMMC) program. CMMC certification is a requirement for Department of Defense (DoD) contractors who handle controlled unclassified information (CUI).

CMMC certification involves an assessment of a company’s compliance with a set of cybersecurity controls and practices that are mapped to three different maturity levels: Foundational, Advanced, and Expert. CMMC 1.0 had five maturity levels, but CMMC 2.0 streamlined this to three maturity levels. CMMC 2.0 also introduced changes that build on and refine the original program requirements.

The assessment is performed by a CMMC Third-Party Assessor Organization (C3PAO), which is a company that has been authorized by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC assessments. The C3PAO assesses the company’s cybersecurity practices and determines the level of CMMC certification that the company has achieved.

Under CMMC 2.0, companies at the Foundational level can self-assess their compliance with CMMC requirements, while companies at the Advanced level require a third-party assessment, and companies at the Expert level require a government-led assessment. The assessment results are then reviewed by the CMMC-AB, which issues the final certification.

CMMC certification is becoming increasingly important for DoD contractors as the program is being phased in over the next several years. With the release of CMMC 2.0, the DoD is introducing several key changes that build on and refine the original program requirements, such as streamlining the model from 5 to 3 compliance levels and using National Institute of Standards and Technology (NIST) cybersecurity standards.

CyberCrest can help organizations prepare for CMMC certification by providing gap assessments and guidance on implementing the required cybersecurity controls and practices. Additionally, we can help organizations understand and align with the changes introduced in CMMC 2.0 to ensure they are ready for compliance when the rules go into effect.

The Cybersecurity Maturity Model Certification (CMMC) program has specific requirements that defense contractors must meet to receive certification. The CMMC framework has been updated with the release of CMMC 2.0 in November 2021, which replaced the previous five-tier system with three maturity levels: Foundational, Advanced, and Expert. Here are some of the key requirements for each level:

Foundational Level:

Focuses on basic cybersecurity hygiene practices that must be in place to protect Federal Contract Information (FCI).
Includes 15 practices that cover topics such as access control, identification and authentication, and security assessment.
Requires contractors to perform self-assessments annually and have an external assessment conducted every three years.
Advanced Level:

Requires contractors to have a more mature cybersecurity program that addresses the protection of Controlled Unclassified Information (CUI).
Includes 110 practices, which are based on NIST SP 800-171 and NIST SP 800-172.
Requires an external assessment conducted by a third-party assessment organization (C3PAO) every three years.
Expert Level:

Requires contractors to have an advanced and sophisticated cybersecurity program that addresses the protection of CUI and Advanced Persistent Threats (APTs).
Includes all 110 practices from the Advanced level, plus an additional 15 practices.
Requires an external assessment conducted by the government every three years.
It’s important to note that contractors must achieve the required level of certification in order to be eligible for contracts that involve CUI. Additionally, the CMMC requirements are not optional; they must be met to be considered for a contract. Contractors will need to demonstrate their compliance with the required level of certification through a CMMC assessment conducted by a C3PAO.

C3PAO stands for Certified Third-Party Assessor Organization. In the context of the Cybersecurity Maturity Model Certification (CMMC) program, a C3PAO is an independent organization that has been authorized by the CMMC Accreditation Body (CMMC-AB) to conduct official CMMC assessments of companies seeking certification.

To become a C3PAO, an organization must go through a rigorous accreditation process that includes demonstrating proficiency in conducting CMMC assessments and meeting the ethical and professional standards set forth by the CMMC-AB. Once accredited, a C3PAO is authorized to conduct official assessments at the appropriate CMMC level(s) for which they have been accredited.

The C3PAO plays a critical role in the CMMC program, as they are responsible for verifying that a company’s cybersecurity practices and processes align with the appropriate CMMC level. Companies seeking CMMC certification must undergo an assessment conducted by a C3PAO, which will ultimately determine whether they meet the requirements of the CMMC level they are seeking.

It’s important to note that as of CMMC 2.0, there will be changes to the C3PAO program. Instead of being authorized to conduct assessments at a specific level, C3PAOs will be authorized to conduct assessments at any level. Additionally, there will be new requirements for C3PAOs, such as a mandatory ethics training and a requirement to have a quality management system in place.